New issue 1641: feat: [Federation] endoint for historical federation jwks
https://bitbucket.org/openid/connect/issues/1641/feat-federation-endoint-for-historical
Giuseppe De Marco:
In italy we analyzed the problem of the historical authentication and the problem of the repudiation if in a federation we don’t have an historical registry of the public keys of the participants.
Having defined how a trust chain makes the proof of the validity of all the statements in it, we may only need an historical registry of the TA’s public keys, published by TA to a specialized endpoint.
scenario
An RP has authenticated a user to an OP, in a second moment both RP and TA change their keys and the RP repudiates the authorization made to the OP.
I’d like to start a discussion with you about the possibility to have an jwks historical registry in the Federation specs.
We may consider a new endpoint, mandatory for the TA, that publishes all the federation jwks used in its ECs during time:
Request
```
GET /.well-known/openid-federation-jwks HTTP/1.1
Host: ta.example.it
```
Response
```
"jwks":{
"keys":[
{
"kty":"RSA",
"n":"5s4qi …",
"e":"AQAB",
"kid":"2HnoFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs"
},
{
"kty":"RSA",
"n":"ng5jr …",
"e":"AQAB",
"kid":"8KnoFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMJJr"
}
]
}
```