...
- Federation membership eligibility: the criteria that define if and how Entities are eligible to become members of a given federation are out of scope for the OpenID federation specification. Typically eligibility is a mix between technical requirements (which may likely be expressible in Entity Configuration, at least in part), and organizational rules (e.g. "Must be an educational institution as indicated by the Ministry of Education"), some of which might be expressed in Entity Configuration also, e.g. by the use of Trust Marks. It is however equally feasible the TA has some additional "internal" rules it uses when assessing eligibility.
- Trust Mark eligibility: It is the Trust Mark Issuer which decides the eligibility criteria for its Trust Marks. Again the eligibility criteria may be internally sourced.
- No right to service: While a TA may be capable of building a trust chain, it is not mandated to do so so for everyone who asks for it. The specification already suggests authentication mechanisms which could be required, but more generally also other authorization might be in place. (e.g. IP based) . The same limitation also applies for trust Mark Issuers and Trust Mark Owners.
- Federation hierarchy: The hierarchy of the federation may be such that certain Trust Paths cannot be walked at all.