Nicole gave an overview of the discussions held at TIIME the week before and the proposed decision to start looking at Trust Marks within the ecosystem for OIDFed, and to work with the pilot group on testing how these operate. There are four potentially different scenarios to explore, that have different trust paths and needs within the ecosytem:

Consider four examples:

• Trust Mark: member of eduGAIN
• Trust Mark: authenticity of organisation has been verified by federation X / member of federation. 
• Trust Mark: organisation has met the standards required to assert Sirtfi. 
• Trust Mark: an external example (erasmus? ISO?)

Example ideas from UK fed:

This gives an example of where an entity might want to only be published locally and not in eduGAIN. This gives different trust paths. 

3 trust mark scenarios exist in the spec:

• Self issued by the Entity
•  Issued by a Trustmark Issuer (TMI)
• Owned by a Trust mark Owner (TMO), issued by a Trust Mark Issuer, which the TMO has delegated to the TMI

The roles and responsibilities of TMI / TMO in terms of the veracity of information was discussed as this is something we do not necessarily take very seriously in the SAML space. Do federations check that orgs are actually committed to CoCo / Sirtfi? what would it mean for REFEDS to be a trustmark owner? 

The validity period of trustmarks was discussed as a key issue.  Endpoint status is NOT a required element in the spec but a SHOULD. 

federation_trust_mark_status_endpoint (https://openid.net/specs/openid-federation-1_0.html#section-5.1.1-3.8)
OPTIONAL. The Trust Mark Status endpoint described in Section 8.4. Trust Mark Issuers SHOULD publish a federation_trust_mark_status_endpoint. This URL MUST use the https scheme and MAY contain port, path, and query parameter components; it MUST NOT contain a fragment component

What might a reference doc / uri description for a trust mark look like?

We have little experience here. Nicole will reach out to a couple of people who might have access to some examples. 

What might a trust mark look like technically?

{
    "trust_mark_type": "https://github.com/REFEDS/MRPS/",
    "iss": "https://ta.surfconext.nl",
    "sub": "https://leaf.institution.org/op",
    "iat": 1579621160,
    "ref": "https://github.com/REFEDS/MRPS/blob/master/mrps.md"
    "mrps": "https://servicedesk.surf.nl/wiki/spaces/IAM/pages/128910076/Metadata+Registration+Practice+Statement+for+SURFconext"
}

`{`  
        `    "trust_mark_type": "https://refeds.org/trustmarks/md_scope",`  
        `    "iss": "https://ta.federation.org",`  
        `    "sub": "https://leaf.institution.org/op",`  
        `    "iat": 1579621160,`  
        `    "ref": "https://refeds.org/trustmarks/md_scope/index.html",`  
        `    "mdscope": [`  
                `        "institution.org",`  
                `        "student.institution.org",`  
                `        "institution-businessschool.com"`  
        `    ]`  
`}`

Next steps: Nicole. Davide, Casper and Niels to look at drafting out some proposals for the trust mark scenarios defined.