Entity registration policy #255
Description
This is an open discussion topic. I'm not 100% clear of whether this should be adressed, or in what way.
We are having a lot of discussions how to introduce a more collaborative infrastructure in Sweden where we can may see emerging OpenID federation islands, where we eventually want to create bridges through cross linking.
OpenID federation gives us most of the tools we see a need for that, but one piece seems missing. We identify the main responsibility for an Intermediate to check the identity and the federation key of a registered Entity. Trust Marks are handled by Trust Mark Issuers, and the metadata is submitted and signed by the Entity itself. All works as long as the identity and key are validated.
However, we may face a situation where this is done to vastly different security levels. Currently there is no way to learn what type of checks to what level of security that was applied by the Intermediate.
If such declaration was possible, we could apply constraints on chains to only include subordinate statements that meets certain criteria. I think that could be very valuable.
Has anyone else had thoughts in this direction?
What did you conclude?
Should something be added to the core document, or should we rely on custom claims?