> On 12 Apr 2024, at 03:16, Ethan Heilman wrote:
>
>
> Hi Neil,
>
> I agree that PIKA would not protect against an attacker compromising a JWKS
> URI via a mis-issued TLS cert.
>
> I was thinking of a simpler attack where the attacker compromises the server
> where a JWKS URI is hosted or
Sent from Yahoo Mail for iPhone
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
The mechanism in the draft provides some separation between the trust
establishment and distribution which is useful. This is definitely
applicable to the use cases described in the draft and I agree with Ethan
that it can help in other areas as well depending upon how things are
deployed. I supp
Hi Neil,
I agree that PIKA would not protect against an attacker compromising a JWKS
URI via a mis-issued TLS cert.
I was thinking of a simpler attack where the attacker compromises the
server where a JWKS URI is hosted or the JWKS is stored. For instance
consider an JWKS which is read from a dat
On 11 Apr 2024, at 01:12, Ethan Heilman wrote:
>
> I want to voice my support for this draft: Proof of Issuer Key Authority
> (PIKA). The ability to reason about the past validity of JWKS is extremely
> useful for using OIDC in signing CI artifacts and e2e encrypted
> messaging.This includes w
