In October 2023, we added this text describing signing resource responses:
These values may be used by other specifications, such as the jwks_uri used to
publish public keys the resource server uses to sign resource responses, as
described in Section 5.6.2 of
[FAPI.MessageSigning<https://drafts.oauth.net/draft-ietf-oauth-resource-metadata/draft-ietf-oauth-resource-metadata.html#FAPI.MessageSigning>].
This uses the jwks_uri and resource_signing_alg_values_supported metadata
parameters. Admittedly, we’re not describing use cases for
resource_encryption_alg_values_supported and
resource_encryption_enc_values_supported at present. If people feel strongly
about it, I’d be willing to remove the encryption parameters since they’re more
speculative, but I believe there’s a solid use case for the key set and
supported signing algorithms.
What do others think?
-- Mike
From: OAuth <oauth-boun...@ietf.org> On Behalf Of Brian Campbell
Sent: Tuesday, April 2, 2024 2:45 PM
To: Vladimir Dzhuvinov <vladi...@connect2id.com>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata
I've had questions similar to Vladimir's* and do still think that some
additional context or clarification or something in the document would be
helpful.
* https://mailarchive.ietf.org/arch/msg/oauth/LA6sqNOV98D7wP44p2Hl6dpSmtg/
On Thu, Mar 28, 2024 at 2:57 PM Vladimir Dzhuvinov
<vladi...@connect2id.com<mailto:vladi...@connect2id.com>> wrote:
I have a question about the parameters: resource_signing_alg_values_supported,
resource_encryption_alg_values_supported,
resource_encryption_enc_values_supported.
I'm not sure how to interpret "content". Where the algorithms, if advertised,
get to apply. Is this something that resources / applications will define,
depending on the resource characteristics? If we take JWE for instance, it
could be used for 3 things at least. To encrypt bearer JWTs to access the
resource, in addition to encrypting request and response payloads.
Vladimir
On 27/03/2024 14:53, Rifaat Shekh-Yusef wrote:
All,
This is a WG Last Call for the OAuth 2.0 Protected Resource Metadata document.
https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-03.html
Please, review this document and reply on the mailing list if you have any
comments or concerns, by April 12.
Regards,
Rifaat & Hannes
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately by
e-mail and delete the message and any file attachments from your computer.
Thank you.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
