Signed JWK Sets are part of the OpenID Federation specification and are in
production use. For instance, see
https://openid.net/specs/openid-federation-1_0.html#name-metadata-extensions-for-jwk
and the "keys" registration at
https://openid.net/specs/openid-federation-1_0.html#name-registry-contents-7.
I believe that should already do what you need. If you believe it doesn't, I'd
be curious to discuss why not with you here in Brisbane.
Best wishes,
-- Mike
From: OAuth <oauth-boun...@ietf.org> On Behalf Of Richard Barnes
Sent: Sunday, March 17, 2024 3:55 PM
To: oauth@ietf.org WG <oauth@ietf.org>
Cc: Sharon Goldberg <gol...@bastionzero.com>
Subject: [OAUTH-WG] Signed JWK Sets
Hi all,
A few of us have been considering use cases for JWTs related to Verifiable
Credentials and container signing, which require better "proof of authority"
for JWT signing keys. Sharon Goldberg and I wrote up a quick specification for
how to sign a JWK set, and how you might extend discovery mechanisms to present
such a signed JWK set:
https://github.com/bifurcation/redistributable-jwks/blob/main/draft-barnes-oauth-redistributable-jwks.md
(Just in GitHub for now; will publish as an I-D when the window reopens
tomorrow.)
If we could get this functionality added to OAuth / OIDC, it would make these
use cases work a lot better. As a prelude toward proposing working group
adoption, it would be great to know if this design seems helpful to other folks
as well. Obviously, happy to answer any questions / comments.
Thanks,
--Richard
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
