[Openid-specs-ab] last minute request: signature-trust for openidc metadata
John Bradley
ve7jtb at ve7jtb.com
Tue May 14 15:20:38 UTC 2013
I support defining a optional element in the discovery document that allows for a JWS representation of the discovery document.
This will allow for Trust providers to sign meta-data that is hosted by the AS in a backwards compatible way allowing for clients participating in trust frameworks to verify extension attributes in the discovery document.
It also helps us with publishing discovery information for hosted domains who can't publish there own .well-known discovery information.
John B.
On 2013-05-14, at 12:14 PM, Leif Johansson <leifj at mnt.se> wrote:
>
> Hi,
>
> There are some situations (actually very often) where it is better
> to rely on signature-based trust than on TLS dito.
>
> Here is a simple way to introduce signature-based trust in openidc
> webfinger metadata: include a 'sig' key in the response json which
> contains a JWS of the json (wo sig of course).
>
> If the consumer cares about signatures, it unpacks and validates
> the 'sig' value and replaces the original json with the JWS payload.
>
> This is fully backwards compatible and although it wastes some bits
> that is probably not a big issue in this case.
>
> In order to fully remove dependency on the transport it might be
> worth duplicating the original resource (also optionally) in the
> response using the 'res' key.
>
> Thoughts?
>
> Cheers Leif
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4507 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130514/95c92302/attachment.p7s>
More information about the Openid-specs-ab
mailing list