Skip to main content

3. Trust Model

This section preserves the RFC text for MATF, including federation trust model, metadata repository, public key pinning, JSON/JWS metadata, usage scenarios, deployments, security considerations, and JSON Schema.

3.  Trust Model

The MATF framework operates on a trust model that is central to its
design and functionality. This section outlines the key components
of this trust model and its implications for federation members and
the federation operator.

3.1. Role of the Federation Operator

The federation operator plays a critical role in the MATF framework.
This entity is responsible for:

* Managing the central trust anchor, which is used to establish
trust across different domains within the federation.

* Vetting federation members to ensure they meet the required
standards and policies.

* Maintaining and securing the federation metadata, which includes
public key pins [RFC7469], issuer certificates, and other
essential information.

Additionally, the federation operator SHOULD develop their own threat
models to proactively identify potential risks and threats. This
process involves examining the operating environment, evaluating both
internal and external threats, and understanding how vulnerabilities
can be exploited. The goal of the threat model is to enable the
federation operator to establish mitigation strategies that address
the identified risks.

The security and stability of the federation rely on the integrity
and competence of the federation operator. Members must be able to
fully trust this central authority, as its role is essential to
maintaining the federation's reliability and security.

3.2. Federation Members' Responsibilities

Federation members share the responsibility of maintaining trust and
security within the federation.

Their responsibilities include:

* Adhering to the federation's security policies and procedures.

* Ensuring the accuracy and timeliness of their metadata
submissions.

* Cooperating with the federation operator's vetting and security
measures.

By fulfilling these responsibilities, federation members help sustain
the trust framework that enables secure and reliable communication
within the federation.

Federation members submit member metadata to the federation. As part
of federation operations, the federation MUST ensure the authenticity
and integrity of submitted member metadata and the authenticity of
the submitting member.

3.3. Chain of Trust

Each federation operates within a trust framework that encompasses
its own security policies and procedures. This framework is designed
to ensure the integrity, authenticity, and confidentiality of
communications within the federation. Key components of this
framework include:

* Public key pinning [RFC7469] and preloading to thwart on-path
attacks by rejecting peers whose public key in the presented
certificate does not match a pin published in the federation
metadata.

* Regular updates and verification of federation metadata to prevent
the use of outdated or compromised information.

The federation operator aggregates, signs, and publishes the
federation metadata, which combines all members' member metadata
along with additional federation-specific information. By placing
trust in the federation and its associated federation metadata
signature verification key, federation members trust the information
contained within the federation metadata.

The trust anchor for the federation is established through the
federation metadata signature verification key, a critical component
requiring secure distribution and verification. To achieve this, the
signature verification key material is distributed using a JSON Web
Key (JWK) Set [RFC7517], providing a flexible framework for exposing
multiple public keys, including the current signature verification
key and keys for rollover. This structured approach ensures members
can readily access the necessary keys for verification purposes.

An additional layer of security is introduced through thumbprint
verification [RFC7638], where federation members can independently
verify the key's authenticity. This involves comparing the
calculated cryptographic thumbprint of the key with a trusted value,
ensuring its integrity. Importantly, this verification process can
be conducted through channels separate from the JWK Set itself,
enhancing security by eliminating reliance on a single distribution
mechanism.

This trust framework is essential for enabling seamless and secure
interoperability across different trust domains within the
federation.

3.4. Member Vetting

To ensure the security and integrity of the MATF framework, a member
vetting process is essential. Detailed vetting processes are beyond
the scope of this document but can be guided by established
frameworks such as eIDAS and eduGAIN.

The following are non-normative references to established frameworks:

* eIDAS: The eIDAS regulation can provide guidance for member
vetting and identity assurance practices.

* eduGAIN: eduGAIN is an interfederation service connecting identity
federations worldwide, primarily within the research and education
sector. eduGAIN documentation on participation requirements and
federation practices can inform member vetting processes
[eduGAIN].

3.5. Metadata Authenticity

Ensuring the authenticity of metadata is necessary for maintaining
the security and trustworthiness of the MATF framework. This
document specifies mechanisms for protecting and verifying the
authenticity of federation metadata, including JWS signing.
Operational procedures for authenticating member metadata submissions
are outside the scope of this document and are defined by the
federation operator or applicable regulatory bodies.