[Openid-specs-ab] Call for Adoption for the OpenID Connect Key Binding Specification

[Justin Richer]

I do not support adoption of this work. The ID Token is not intended to be a conveyable artifact, and using it as such is a security layer boundary. It’s hard enough to get people to not use ID Tokens as Access Tokens today, since a lot of developers see all JWTs as equivalent, really. This work would make this problem significantly worse.

 — Justin

On Sep 15, 2025, at 6:57 PM, Michael Jones via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:

This starts a two-week call for feedback on whether to adopt the OpenID Connect OpenID Connect Key Binding specification contributed to the working group by Dick Hardt and Ethan Heilman as an OpenID Connect Working Group specification.  Please reply-all by Monday, September 29, 2025 saying whether you are favor of adoption or not, also saying why.

The specification was contributed at https://lists.openid.net/pipermail/openid-specs-ab/2025-August/010890.html.  It has been extensively discussed by the working group both on calls and on the mailing list.  From my observations of the discussion as a working group chair, I believe that there is consensus that it would be useful to have a standard solving the problem addressed by this specification.

                                                Writing as a working group chair,
                                                                -- Mike

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
https://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250926/93f41a86/attachment.htm>