§07Lesson · Advanced

Trust Marks

Certified badges that prove an entity meets requirements

09 min readLast reviewed 2026-06-05Advanced

What's Inside a Trust Mark?

A Trust Mark is a signed JWT (§7.1) that certifies an entity meets specific requirements — like a health inspection sticker for digital identity. It contains the issuer, subject, type, and optional metadata like logos and reference URLs.

"header":
"alg": "RS256",
"typ": "trust-mark+jwt",
"kid": "tm-key-1"
}
,
"payload":
"iss": "https://audit-body.example.com",
"sub": "https://login.uni.edu",
"trust_mark_type": "https://edufed.gov/trust-marks/gdpr",
"iat": 1712000000,
"exp": 1743536000,
"logo_uri": "https://edufed.gov/badges/gdpr.png",
"ref": "https://edufed.gov/compliance/gdpr-requirements"
}
}

Who Can Issue Trust Marks?

Trust Anchors
Can issue directly — they define the trust mark types.
Authorized Issuers
Listed in trust_mark_issuers in the TA's Entity Configuration.
Delegated Issuers
Authorized by a Trust Mark Owner via a delegation JWT.
Self-Signed
The federation MAY allow entities to self-issue (rare).

Delegation Flow

When the original Trust Mark Owner is not the issuing party, a delegation chain is required (§7.2).

Step 1 of 5

1. TA defines Trust Mark type

The Trust Anchor defines a Trust Mark type (e.g., https://edufed.gov/trust-marks/gdpr) and declares who may issue it via trust_mark_issuers and/or trust_mark_owners in its Entity Configuration.

Validating a Trust Mark

Validation involves 5 checks (§7.3) — a failure at any step rejects the mark:

1. Verify JWT signature
2. Is issuer trusted? (trust_mark_issuers)
3. Verify delegation JWT (if present)
4. Check exp — still valid?
5. Call Trust Mark Status endpoint

Trust Mark is VALID

Further reading