Lesson 7 of 15
AdvancedΒ·Lesson 7

πŸ… Trust Marks

Certified badges that prove an entity meets requirements

What's Inside a Trust Mark?

A Trust Mark is a signed JWT[1] that certifies an entity meets specific requirements β€” like a health inspection sticker for digital identity. It contains the issuer, subject, type, and optional metadata like logos and reference URLs.

"header":
"alg": "RS256",
"typ": "trust-mark+jwt",
"kid": "tm-key-1"
}
,
"payload":
"iss": "https://audit-body.example.com",
"sub": "https://login.uni.edu",
"trust_mark_type": "https://edufed.gov/trust-marks/gdpr",
"iat": 1712000000,
"exp": 1743536000,
"logo_uri": "https://edufed.gov/badges/gdpr.png",
"ref": "https://edufed.gov/compliance/gdpr-requirements"
}
}

Who Can Issue Trust Marks?

Trust Anchors
Can issue directly β€” they define the trust mark types.
Authorized Issuers
Listed in trust_mark_issuers in the TA's Entity Configuration.
Delegated Issuers
Authorized by a Trust Mark Owner via a delegation JWT.
Self-Signed
The federation MAY allow entities to self-issue (rare).

Delegation Flow

Step 1 of 5

1. TA defines Trust Mark type

The Trust Anchor defines a Trust Mark type (e.g., https://edufed.gov/trust-marks/gdpr) and declares who may issue it via trust_mark_issuers and/or trust_mark_owners in its Entity Configuration.[1]

Validating a Trust Mark

Validation involves 5 checks[3] β€” a failure at any step rejects the mark:

βœ“1. Verify JWT signature
βœ“2. Is issuer trusted? (trust_mark_issuers)
βœ“3. Verify delegation JWT (if present)
βœ“4. Check exp β€” still valid?
βœ“5. Call Trust Mark Status endpoint

Trust Mark is VALID

Sources & References

  1. OpenID Federation 1.0, Section 7.1 β€” Trust Mark Claims
  2. OpenID Federation 1.0, Section 7.2 β€” Trust Mark Delegation
  3. OpenID Federation 1.0, Section 7.3 β€” Validating a Trust Mark