Define more Entity Type Identifiers / Split `federation_entity`

[zachmann]

I know that this was already discussed at some point in time, but I really would like to see this happen and therefore bring it back on the table to have some discussion about this.

I feel that the general federation_entity Entity Type is extremely general and mixes different purposes. It contains metadata for Trust Anchors / Intermediates, Trust Mark Issuers, and every other entity in the federation.

I would suggest to define new Entity Type Identifiers:

• federation_trust_mark_issuer for Trust Mark Issuers.
• federation_authority (or something else, I'm open for better terms) for Trust Anchors / Intermediates.
• federation_resolver for an Entity implementing a resolve endpoint.
  Also keeping federation_entity for the broad and general "Entity in a Federation".

I would split the existing metadata in the following way:

• federation_trust_mark_issuer: Adopts all the trust mark related metadata, namely:
  • federation_trust_mark_status_endpoint
  • federation_trust_mark_list_endpoint
  • federation_trust_mark_endpoint
• federation_authority: Adopts all the metadata related to subordinates, namely:
  • federation_fetch_endpoint
  • federation_list_endpoint
• federation_resolver adopts the resolver related metadata, namely:
  • federation_resolve_endpoint
• federation_entity would keep all other metadata, including all information metadata parameters and:
  • federation_historical_keys_endpoint
  • endpoint_auth_signing_alg_values_supported

I think that this differentiation between those entity types makes sense because:

• it is semantically more clear
• it allows better filtering capabilities based on entity type, e.g. in the subordinate listing endpoint
• it allows better usage of metadata_policies and constraints, e.g. the allowed_entity_types constraint.

I know that this would require breaking changes to implementations, however we also did some breaking changes recently with trust_mark_id/type and I believe that it would be beneficial to have more semantic entity types when it comes to the roles in a federation.

[rohe]

Talk about breaking change !

We know now that there will be work on a 2.0 version starting as soon as we have done 1.0/1.1 .
So I'd like to propose that this would be included in the 2.0 work rather then in 1.0.

[zachmann]

While I really understand that you want to get this spec published, I believe this still should be included in 1.0

• Doing this now only requires small adaptions on implementations. It is breaking, but it can be easily fixed.
• Doing this later will be much harder and there probably will be the need for code to support both versions.
• If we do not fix this now, there will arise proprietary solutions to fix this in one way or another, which will not be good for interop.

[peppelinux]

we had federation_trust_mark_issuer metadata apart until draft 22-24 if I remember well

we then decided to handle federation_trust_mark_issuer metadata in federation entity metadata

I don't see the value to change it again as it was before

this proposal introduces an important breaking change that we should not handle today, it would be an argument for federation 2.0

[selfissued]

We will not be doing this for 1.0 because it is an unnecessary breaking change. I have assigned it to the 2.0 milestone.