[Openid-specs-ab] Issue #1181: SIOP Issue 3 - Support for attesting keys from the past (openid/connect)

Tobias Looker issues-reply at bitbucket.org
Fri Jul 31 23:51:35 UTC 2020

New issue 1181: SIOP Issue 3 - Support for attesting keys from the past

Tobias Looker:

Currently as per the specification for SIOP today the `sub` field of the id token returned in a [SIOP response](https://openid.net/specs/openid-connect-core-1_0.html#SelfIssuedResponse) requires it to be the JWK thumbprint of the `sub_jwk` value that must also be present in the response. This relationship therefore prevents cryptographic good practise by eliminating the ability to perform key rotation of the `sub_jwk` value without creating another `sub` value \(hence a new identity to relying parties\). This point is summarized in the [presentation](https://drive.google.com/file/d/1aNwQfDhnpt18MyEp_yztGB1KBn-7v3xA/view?usp=sharing) I did at SIOP meetup #2 in slides 8-to-12 of this presentation.

Essentially the suggested resolution \(captured on slide 10\) is that there needs to be a breaking change around this statement for SIOP that redefines this to allow for key rotation.


More information about the Openid-specs-ab mailing list