[Openid-specs-ab] Call for Adoption for the OpenID Connect Key Binding Specification

Thu Oct 2 22:12:38 UTC 2025

Do you think of this draft as covering those OpenPubKey cases? I think I
can see how SSO for SSH could be treated as passing an id token
amongst different components of the RP. But I'm struggling to see how, with
signing docker official images, the other systems involved would
be components of the same RP.

On Mon, Sep 29, 2025 at 12:30 PM Dick Hardt via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> It is very confusing why some members of this WG are opposed to
> standardizing and providing guidance on a pattern that is deployed in a
> non-standard way.
>
> Ethan is one of the authors of OpenPubKey which puts a public key into a
> nonce. This is deployed by BastionZero, Docker, and Cloudflare. These
> companies could have deployed the OpenID Connect UserInfo Verifiable
> Credentials draft -- but chose not to -- so it failed in the market.
>
> This spec is standarding how to do this so that systems are more
> interoperable, and also provides an opportunity to provide guidance on when
> this should be used and when it should not be used.
>
>  The push back on this reminds me of why the OpenID Foundation was created
> -- we continued to get pushback from the IETF to do the OpenID work there
> -- so took our toys with us to a new sandbox. The response of "we already
> did this" is clearly not being accepted by the market.
>
> https://www.bastionzero.com/openpubkey
>
> https://www.docker.com/blog/signing-docker-official-images-using-openpubkey/
>
> https://blog.cloudflare.com/open-sourcing-openpubkey-ssh-opkssh-integrating-single-sign-on-with-ssh/
>
> On Mon, Sep 29, 2025 at 6:30 PM Dick Hardt <dick.hardt at gmail.com> wrote:
>
>>
>>
>> On Mon, Sep 29, 2025 at 6:17 PM Kristina Yasuda via Openid-specs-ab <
>> openid-specs-ab at lists.openid.net> wrote:
>>
>>> I do *not *support adoption of this draft for the reasons that have
>>> been listed by Pieter, Aaron, Justin, Brian, Andrii and Ralph.
>>>
>>
>> There are a variety of reasons. You are opposed for all of them?
>>
>>
>>>
>>> Key bound ID Tokens using OIDC is where Microsoft and few other
>>> companies have started when implementing Verifiable Credentials and OpenID
>>> for Verifiable Credential Issuance 1.0 is where all that implementation
>>> experience has led. I don't think there is a need to reinvent a wheel when
>>> there already is a well-tested final (!) protocol that can be used for this
>>> use case.
>>>
>>
>> Which protocol is that?
>>
>>
>>>
>>> It is also concerning that this call for adoption happened without the
>>> topic being mentioned in the DCP WG even once. I am sure DCP WG members
>>> would be happy to help and point out extension points in VCI 1.0 that can
>>> be leveraged, if needed.
>>>
>>
>> Why is that? We don't want a VC. We want an id_token as I have described
>> that has an "aud" value.
>>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20251002/84f8e514/attachment.htm>