Update trust_anchor validation rules

selfissued · selfissued · commit 248f679da85c · 2025-11-01T13:22:07.000-04:00
diff --git a/openid-federation-1_0.xml b/openid-federation-1_0.xml
@@ -930,11 +930,14 @@
 	      </t>
 	      <t>
 		If the <spanx style="verb">trust_anchor</spanx> Claim is present,
-		validate that its value is an Entity Identifier.
-		Implementations MAY retrieve the Entity Configuration for the
-		Entity Identifier and validate that it is a Trust Anchor,
-		and they MAY also validate that it is the Trust Anchor
-		used for the Explicit Registration.
+		validate that its value is a URL
+		using the <spanx style="verb">https</spanx> scheme.
+		Implementations MAY validate that the Entity Identifier matches
+		one of the Trust Anchors configured for the deployment.
+		Furthermore, implementations MAY validate that the
+		Entity Configuration for the Entity Identifier contains
+		information compatible with the configured Trust Anchor information
+		- especially the keys.
 		This Claim MUST NOT be present in Entity Statements that are not
 		Explicit Registration responses.
 	      </t>
