[Openid-specs-ab] Peer review request: TADR draft

Rahul Khanna rkhanna at propensic.com
Sun Oct 26 23:38:51 UTC 2025 

Hello esteemed community,

I would like to propose Draft 00 of the *Trust Anchor Distribution &
Rotation (TADR)* specification for consideration by the OpenID Connect AB
Working Group.

Given that issuers already expose `.well-known/openid-configuration`
metadata, this registry is a natural place to address the *CA/B Forum’s
decision to shorten TLS certificate lifetimes to just 47 days by 2029*.
This industry shift makes manual trust anchor management unsustainable —
automation and interoperability are now mission‑critical, particularly for
OAuth client apps, OIDC Client Credential Flows, and potential future
extensions such as agentic AI authentication/authorization.

*What TADR proposes:*

   - A new `trust_anchor_uri` in OIDC Discovery
   - A standardized JSON schema for trust anchor bundles
   - Clear client behaviors for fetching, caching, and rotating anchors
   - Reference implementations (Node.js server + Python client) to prove
   feasibility


*Why it matters:*

   - Prevents outages during certificate rotation
   - Aligns OIDC ecosystems with the short‑lived certificate era
   - Strengthens distributed trust and resilience across federated identity



This is just Draft 00 — the beginning of a conversation. I’m excited to
collaborate with the OpenID Foundation community, PKI experts, and identity
architects to refine and advance this work.

The draft and reference implementations are available in the working group
repository branch `propose/connect/openid-tadr-1_0-00
<https://github.com/openid/publication/pull/122/commits/8ef96f263a9c791a7b3c4130d022132a1f099dfa>
`.

I welcome guidance on the correct submission process and look forward to
your feedback.

Thank you!

Cordially,

Rahul Khanna | Sr Principal Consultant
Propensic Solutions, LLC
Call/Text *(new)*: +1-813-330-0677 (USA East Coast)
Email: rkhanna at propensic.com
Want to meet? Schedule a meeting today!
<https://calendar.app.google/Z3LJkWBT6v5KM4tL6>
Visit us online: www.propensic.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20251026/675b6afc/attachment.htm>

More information about the Openid-specs-ab mailing list