From 15af4288569b47ccb682adc3b0fa312f174da5a5 Mon Sep 17 00:00:00 2001 From: zachmann Date: Thu, 7 May 2026 08:49:36 +0200 Subject: [PATCH] relax trust mark verification from MUST to SHOULD; #30 --- openid-federation-entity-collection-1_0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-federation-entity-collection-1_0.md b/openid-federation-entity-collection-1_0.md index 945a9ef..82648fc 100644 --- a/openid-federation-entity-collection-1_0.md +++ b/openid-federation-entity-collection-1_0.md @@ -161,7 +161,7 @@ If this parameter is not present the server MUST fall back on the upper limit, a - **entity_type**: (OPTIONAL) The value of this parameter is an Entity Type Identifier. The result MUST be filtered to include only those entities that include the specified Entity Type. When multiple `entity_type` parameters are present, for example `entity_type=openid_provider&entity_type=openid_relying_party`, the result MUST be filtered to include all Entities that include any of the specified Entity Types. If the responder does not support this feature, it MUST return an error response with the error code `unsupported_parameter` as defined in [Error Response Format](#error-response-format). -- **trust_mark_type**: (OPTIONAL) The value of this parameter is a Trust Mark Type Identifier. The result MUST be filtered to include only Entities that publish a Trust Mark of this Trust Mark Type in their Entity Configuration and that Trust Mark MUST be verified by the responder. The responder SHOULD verify the Trust Mark using the same Trust Anchor that is used to collect the Entities. When multiple `trust_mark_type` parameters are present, the result MUST be filtered to include only Entities that have a Trust Mark for all the specified Trust Mark Types. +- **trust_mark_type**: (OPTIONAL) The value of this parameter is a Trust Mark Type Identifier. The result MUST be filtered to include only Entities that publish a Trust Mark of this Trust Mark Type in their Entity Configuration and that Trust Mark SHOULD be verified by the responder. When verifying the Trust Mark the responder SHOULD use the same Trust Anchor that is used to collect the Entities. When multiple `trust_mark_type` parameters are present, the result MUST be filtered to include only Entities that have a Trust Mark for all the specified Trust Mark Types. If the responder does not support this feature, it MUST return an error response with the error code `unsupported_parameter` as defined in [Error Response Format](#error-response-format). - **trust_anchor**: (RECOMMENDED) The Trust Anchor that the collection endpoint MUST use when collecting Entities. The value is an Entity Identifier. If omitted, the responder sets this parameter to its own Entity Identifier. If the responder does not have a defined Entity Identifier, it MUST return an error response with the error code `invalid_request` as defined in [Error Response Format](#error-response-format). If the requested Trust Anchor is not supported by the responder, it MUST return an error response with the error code `invalid_trust_anchor` as defined in [Error Response Format](#error-response-format).