Hi all, A few of us have been considering use cases for JWTs related to Verifiable Credentials and container signing, which require better "proof of authority" for JWT signing keys. Sharon Goldberg and I wrote up a quick specification for how to sign a JWK set, and how you might extend discovery mechanisms to present such a signed JWK set:
https://github.com/bifurcation/redistributable-jwks/blob/main/draft-barnes-oauth-redistributable-jwks.md (Just in GitHub for now; will publish as an I-D when the window reopens tomorrow.) If we could get this functionality added to OAuth / OIDC, it would make these use cases work a lot better. As a prelude toward proposing working group adoption, it would be great to know if this design seems helpful to other folks as well. Obviously, happy to answer any questions / comments. Thanks, --Richard
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
