[Openid-specs-ab] Revised submission :: OpenID Connect Key Binding

[george at practicalidentity.com]

Hi Dick and Ethan,

Thanks for the updated version. The scope is much more clear in this version.

In Security Considerations section 3.3 there is a prohibition with using the id_token as an access token. Yet in the kubeclt example that has been mentioned a few times in the email thread, the id_token IS used as an access token. This is driven partly from the existing behavior of stuffing attributes for ABAC and roles for RBAC into the id_token.

I also believe that there is a need for an identity token that is intended to cross trust-domain boundaries. I’m thinking it may make sense to define a mechanism that serves both the single RP (and its components) as well as the larger use case of crossing trust-domain boundaries. I’d expect that decentralized systems will need this capability (e.g. bluesky).

George Fletcher
Identity Standards Architect
Practical Identity LLC



> On Oct 1, 2025, at 7:13 AM, Dick Hardt via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
> 
> Attached is a revised submission in HTML taking into consideration the feedback from the recent call for adoption.
> 
> repo: https://github.com/dickhardt/openid-key-binding
> online html: https://dickhardt.github.io/openid-key-binding/main.html
> 
> The authors would like to thank Jacob for his review and feedback.
> 
> /Dick & Ethan
> <main.html>_______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20251007/bcedf5f5/attachment.htm>