Hi Mike, Thanks for these links. These do indeed cover a bunch of piece parts, but they're still missing a key point for the use cases, namely: A mechanism for a Relying Party to verify that a signer is authoritative for a given issuer ID.
The OpenID Federation spec assumes that relying parties are configured with a Trust Anchor that represents the federation. (It effectively makes a PKI encoded in JWTs.) OpenID Connect and SD-JWT-VC rely on a domain name PKI (e.g., the Web PKI) instead of a special federation hierarchy. In other words, the "x5c" field in this document is the moral equivalent of the "trust chain" header parameter in OpenID Federation [1]. So there is still a gap here from the perspective of the use cases described in the document. Given the overlap here, maybe it would be useful to pull the Signed JWK Set bits out of OpenID Federation into an OAuth document to facilitate their re-use elsewhere. Best, --Richard [1] https://openid.net/specs/openid-federation-1_0.html#name-trust-chain-header-paramete On Mon, Mar 18, 2024 at 9:28 AM Michael Jones <michael_b_jo...@hotmail.com> wrote: > Also, see the additional key parameter registrations > https://openid.net/specs/openid-federation-1_0.html#section-16.8, which > can be used to indicate key expiration time, etc. > > > > *From:* Michael Jones > *Sent:* Sunday, March 17, 2024 7:00 PM > *To:* Richard Barnes <r...@ipv.sx>; oauth@ietf.org WG <oauth@ietf.org> > *Cc:* Sharon Goldberg <gol...@bastionzero.com> > *Subject:* RE: [OAUTH-WG] Signed JWK Sets > > > > Signed JWK Sets are part of the OpenID Federation specification and are in > production use. For instance, see > https://openid.net/specs/openid-federation-1_0.html#name-metadata-extensions-for-jwk > and the “keys” registration at > https://openid.net/specs/openid-federation-1_0.html#name-registry-contents-7. > I believe that should already do what you need. If you believe it doesn’t, > I’d be curious to discuss why not with you here in Brisbane. > > > > Best > wishes, > > -- Mike > > > > *From:* OAuth <oauth-boun...@ietf.org> *On Behalf Of *Richard Barnes > *Sent:* Sunday, March 17, 2024 3:55 PM > *To:* oauth@ietf.org WG <oauth@ietf.org> > *Cc:* Sharon Goldberg <gol...@bastionzero.com> > *Subject:* [OAUTH-WG] Signed JWK Sets > > > > Hi all, > > > > A few of us have been considering use cases for JWTs related to Verifiable > Credentials and container signing, which require better "proof of > authority" for JWT signing keys. Sharon Goldberg and I wrote up a quick > specification for how to sign a JWK set, and how you might extend discovery > mechanisms to present such a signed JWK set: > > > > > https://github.com/bifurcation/redistributable-jwks/blob/main/draft-barnes-oauth-redistributable-jwks.md > > > > (Just in GitHub for now; will publish as an I-D when the window reopens > tomorrow.) > > > > If we could get this functionality added to OAuth / OIDC, it would make > these use cases work a lot better. As a prelude toward proposing working > group adoption, it would be great to know if this design seems helpful to > other folks as well. Obviously, happy to answer any questions / comments. > > > > Thanks, > > --Richard >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
