[Openid-specs-ab] SIOP Meetup 2 Presentation Slides

Tobias Looker tobias.looker at mattr.global
Tue Aug 18 00:37:30 UTC 2020


Hi All,

See attached for the slides I presented on at the SIOP Meetup 2 a couple of
weeks ago.

I'd like to draw attention to slides 8 through 12 as one of the key points
of discussion.

Currently as per OpenID Connect core section 7.4
<https://openid.net/specs/openid-connect-core-1_0.html#SelfIssuedResponse>,
the relationship between the key that must sign the response and the
identifier for the subject in the response prevents cryptographic best
practice in the sense that it does not allow key rotation to occur without
creating a new subject identifier.

My proposal is that we need to revise this section to allow solutions that
do support key rotation through the following.

- Relax the requirement that the sub field be the JWK thumbprint of the
sub_jwk value instead allow the value reported in the sub field to be any
valid URI.
- To ensure interoperability define the URN of type JWK thumbprint (e.g
urn:jwkthumb:asd78asdhc8h9rj) and specify the same relationship that is
present in the spec today between this new type of URN and the sub_jwk
value and set this as the default behaviour for SIOP (as it essentially is
today).
- Define how a relying party can advertise support for other types of
subject uri's in their request e.g decentralized identifiers
<https://w3c.github.io/did-core/>, so that a supporting SIOP could instead
respond with a did in the sub field of the response and use cryptographic
material in the did document to sign the response (hence allowing for key
rotation).

Essentially my proposal is for SIOP to exhibit the same behaviour as it
does today as the default (i.e no solution for key rotation) BUT allow for
an extension point through different identifiers that allow for key
rotation.

Thanks,
[image: Mattr website] <https://mattr.global>
*Tobias Looker*
Mattr
+64 (0) 27 378 0461
tobias.looker at mattr.global
[image: Mattr website] <https://mattr.global> [image: Mattr on LinkedIn]
<https://www.linkedin.com/company/mattrglobal> [image: Mattr on Twitter]
<https://twitter.com/mattrglobal> [image: Mattr on Github]
<https://github.com/mattrglobal>
This communication, including any attachments, is confidential. If you are
not the intended recipient, you should not read it - please contact me
immediately, destroy it, and do not copy or use any part of this
communication or disclose anything about it. Thank you. Please note that
this communication does not designate an information system for the
purposes of the Electronic Transactions Act 2002.

-- 
This communication, including any attachments, is confidential. If you are 
not the intended recipient, you should not read it - please contact me 
immediately, destroy it, and do not copy or use any part of this 
communication or disclose anything about it. Thank you. Please note that 
this communication does not designate an information system for the 
purposes of the Electronic Transactions Act 2002.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200818/a3cd25a9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SIOP - Meetup 2.pptx
Type: application/vnd.openxmlformats-officedocument.presentationml.presentation
Size: 5207713 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200818/a3cd25a9/attachment-0001.pptx>


More information about the Openid-specs-ab mailing list