[Openid-specs-ab] last minute request: signature-trust for openidc metadata
Leif Johansson
leifj at mnt.se
Tue May 14 10:14:30 UTC 2013
Hi,
There are some situations (actually very often) where it is better
to rely on signature-based trust than on TLS dito.
Here is a simple way to introduce signature-based trust in openidc
webfinger metadata: include a 'sig' key in the response json which
contains a JWS of the json (wo sig of course).
If the consumer cares about signatures, it unpacks and validates
the 'sig' value and replaces the original json with the JWS payload.
This is fully backwards compatible and although it wastes some bits
that is probably not a big issue in this case.
In order to fully remove dependency on the transport it might be
worth duplicating the original resource (also optionally) in the
response using the 'res' key.
Thoughts?
Cheers Leif
More information about the Openid-specs-ab
mailing list