Trustmark Revocation

Every trustmark has an expiration date, and a TRP must always check the expiration date (among other things) prior to trusting the TR within the context of a trustmark. Under “normal” circumstances, a TRP can continue trusting and relying on a trustmark until it expires. But sometimes things don’t go as intended, and for some reason the TP must revoke the trustmark prior to its expiration date.

Trustmark revocation may occur for a variety of reasons. Perhaps the TP and TR have decided to nullify the business arrangement under which the trustmark had been issued. Perhaps the TR no longer complies with the trustmark’s conformance criteria. Or perhaps the TR‘s trustmark signing key has been compromised. Regardless of the circumstances, somebody needs to notify all of the TRPs that the trustmark is no longer active. But this is a challenge, because neither the TP nor the TR necessarily knows all of the TRPs that are using the trustmark.

We address this challenge as follows. As stipulated in our Trustmark Framework Technical Specification, every trustmark must contain a Status URL that points to a Trustmark Status Report (TSR). A TSR is a very lightweight XML document that lives online at a well-defined URL and contains the latest status of a trustmark. A trustmark’s status may be ACTIVE, REVOKED, and EXPIRED. In addition to the trustmark’s status, a TSR can also optionally contain one or more Superseder Trustmark References, which are URLs that point to new trustmarks issued by the TP to supersede the trustmark that has been revoked.