20.4.1.3. Federation Authority Test Matrix¶

This section defines test cases for Federation Authorities (Trust Anchors and Intermediates) responsible for operating the Trust Infrastructure as described in The Infrastructure of Trust. Tests focus on correctness and conformance of:

Entity Configuration (.well-known/openid-federation)
Subordinate Statements returned by /fetch
Federation registry endpoints (/list, /fetch, /trust_mark_status, /historical-jwks)

All validations align with (OID-FED).

Test Case ID	Purpose	Description	Expected Result
FA_001	Discovery, Interoperability	Entity Configuration media type	`GET /.well-known/openid-federation` returns HTTP 200 with `Content-Type: application/entity-statement+jwt`.
FA_002	Security	Entity Configuration signature integrity	The Entity Configuration is a signed JWT; signature verifies using one of the Federation Entity public keys contained in the Entity Configuration `jwks` per OID-FED.
FA_003	Interoperability	Entity Configuration JOSE header parameters	JOSE header contains `alg` (permitted), optional `kid` referencing a key in `jwks`, and `typ` set to `entity-statement+jwt`.
FA_004	Security	Entity Configuration standard claims	Payload includes `iss` and `sub` both equal to the Federation Authority identifier URL; includes `iat` and `exp` as valid Unix timestamps; `exp` > `iat` and current time < `exp`.
FA_005	Security, Interoperability	Entity Configuration common parameters	Payload contains `jwks` and `metadata` with `federation_entity` object including published Federation endpoints as per Trust Infrastructure and Registry Integration.
FA_006	Security	Entity Configuration key material validity	`jwks.keys[*]` entries use permitted algorithms and key sizes; keys are not expired or revoked per `/historical-jwks`; each `kid` is unique.
FA_007	Security	`exp` validation tolerance	Validation rejects Entity Configuration if `exp` is in the past; a maximum clock skew of 120 seconds MAY be applied when comparing current time to `iat`/`exp`.
FA_008	Security	Subordinate Statement signature and lifetime	`GET /fetch?sub={entity}` returns a signed JWT Subordinate Statement; header and payload verify per OID-FED; `iss` equals the issuing Federation Authority; `sub` equals requested entity; `iat`/`exp` valid.
FA_009	Interoperability	Subordinate Statement schema	Subordinate Statement contains the subordinate's public keys (directly or by reference) and applicable metadata policies or metadata, conforming to draft-43 structure.
FA_010	Discovery	Listing subordinates	`GET /list` returns a JSON array or JWT-wrapped list of current subordinate identifiers; response format and media type match the published metadata; HTTP 200.
FA_011	Security	Trust Mark status endpoint	`GET /trust_mark_status?id={tm_id}&sub={entity}` returns current status with HTTP 200 and an integrity-protected object (JWT if advertised). Unknown Trust Mark IDs or subjects return appropriate 4xx.
FA_012	Security	Historical keys endpoint	`GET /historical-jwks` returns revoked/expired keys with revocation reasons. Structure validates as JWKS or JWT-wrapped JWKS per advertised media type.
FA_013	Security	Key rotation propagation	After rotating keys, `/.well-known/openid-federation` and `/historical-jwks` are updated atomically or within a documented maximum propagation window. Verification with the new key succeeds, and the old key appears in historical.
FA_014	Security	Disallow `alg":"none` and weak algorithms	Any Entity Configuration or Subordinate Statement with `alg": "none"` or a disallowed algorithm is rejected; endpoint returns appropriate error (e.g., 400/422).
FA_015	Security	`kid` resolution and mismatch handling	If JOSE header `kid` is present, it matches a key in the current `jwks`; on mismatch, verification fails with clear error.
FA_016	Interoperability	Endpoint discovery from metadata	`federation_entity` metadata in Entity Configuration includes working URLs for `federation_list_endpoint`, `federation_fetch_endpoint`, `federation_trust_mark_status_endpoint`, and `historical-jwks` (if published); each resolves and responds per its contract.
FA_017	Security	Issuer/subject self-consistency	For Entity Configuration, `iss == sub ==` Authority URL; for Subordinate Statements, `iss` is Authority URL and `sub` is subordinate URL; any deviation is rejected.
FA_018	Interoperability	Media type correctness (fetch/list/status)	`/fetch`, `/list`, `/trust_mark_status`, and `/historical-jwks` return the media types declared in `federation_entity` metadata; JWT-wrapped resources use the correct `Content-Type` (e.g., `application/entity-statement+jwt`, `application/jwk-set+jwt`).
FA_019	Security	Statement replay prevention (`jti` optional)	If `jti` is published, repeated use within the validity window is detected and logged or rejected according to policy; otherwise, uniqueness is not required.
FA_020	Security	Metadata policy application (if used)	When metadata policies are used in Subordinate Statements, the resulting effective metadata computed from policy + source metadata conforms to draft-43 rules; conflicts are resolved deterministically.