...
- Entity Category: In OpenID federation, a Trustmark is defined as the way to signal certain behaviour of entities. A Trustmark is issued by a Trustmark Issuer, which in turn must be acknowledged in the Trust Anchor
(metadata)to signal the Trustmark is part of the federation. A TA may set rules to enforce that a Trustmark must be present in the entity metadata, which in turn leads to the mandatory requirement for entities to have the Trustmark before a trust chain can be established. The presence of a Trustmark may also be used to filter OPs in support of the discovery process. Trustmarks may be self issued, in which case they still need to be present at the TA. The Trustmark may be delegated to owned by a Trustmark Owner outside of the federation and delegate issuance. The Trustmark Owner may provide a delegation jwt to a Trustmark issuer so it can prove the legitimate issuance of Trustmarks.
One critical difference between Entity Categories and Trustmarks is that the same Trustmark cannot be both Self-issued as well as issued by a Trustmark Issuer. - Assurance Certification Signalling assurance certifications may be done using so called Trustmarks.
- Profiles, signalling certain behaviour as part of a transaction is generally covered in the underlying standards like OpenID Connect and OAuth 2.0 by e.g. scopes and claims. The capability for signalling is often available, however the semantics may need to be adopted
- Metadata Extension, provide an extension to existing metadata profiles is allowed in the OpenID Federation specification. For broad acceptance and implementation of an extension it may be needed to engage with the OpenID Foundation, e.g. via de RandE working group
- Frameworks, are currently basically assurance frameworks, which provide a structured means of describing or defining the main sources of assurance provided within the federation by the member entities or the federation itself.
...