Trustmark Revocation

You are viewing an archival website from the original trustmark pilot in 2013-2016. If you are looking for more recent content about the trustmark framework, please visit the Trustmark Initiative website.

Every trustmark has an expiration date, and a TRP must always check the expiration date (among other things) prior to trusting the TR within the context of a trustmark. Under “normal” circumstances, a TRP can continue trusting and relying on a trustmark until it expires. But sometimes things don’t go as intended, and for some reason the TP must revoke the trustmark prior to its expiration date.

Trustmark revocation may occur for a variety of reasons. Perhaps the TP and TR have decided to nullify the business arrangement under which the trustmark had been issued. Perhaps the TR no longer complies with the trustmark’s conformance criteria. Or perhaps the TR’s trustmark signing key has been compromised. Regardless of the circumstances, somebody needs to notify all of the TRPs that the trustmark is no longer active. But this is a challenge, because neither the TP nor the TR necessarily knows all of the TRPs that are using the trustmark.

We address this challenge as follows. As stipulated in the Trustmark Framework Technical Specification, every trustmark must contain a Status URL that points to a Trustmark Status Report (TSR). A TSR is a very lightweight XML document that lives online at a well-defined URL and contains the latest status of a trustmark. A trustmark’s status may be ACTIVE, REVOKED, or EXPIRED. In addition to the trustmark’s status, a TSR can also optionally contain one or more Superseding Trustmark References, which are URLs that point to new trustmarks issued by the TP to supersede the trustmark that has been revoked.