<div dir="ltr"><div dir="ltr"><div dir="ltr"><div>The opposition to adoption has highlighted some misconceptions about the proposed document.<br><br></div><div dir="ltr">We are not proposing the id_token be used to access resources. It is an id_token. It represents authentication and identity claims about the user.</div><div dir="ltr"><br>We view the component (C1) that acquires an id_token from the OP with a key binding, and a component (C2) that is presented the id_token with a dpop proof are both part of the same RP. They are both relying on the claims made by the OP. The "aud" claim is therefore critical to the validation by C2.<br><br>Two examples:<br><br>- Alice is using a video conferencing client and obtains an id_token with key binding using OIDC and aud=1234. Alice's client then sends the id_token to Bob's instance of the video conferencing client signing the message. Bob's video conferencing client verifies the id_token and confirms aud=1234 and that it was another instance of the client that obtained the id_token.<br><br></div><div dir="ltr">- A mobile app obtains an id_token, and wants to obtain an access token from the server. It presents the id_token with a dpop proof to the server that checks it has the same aud value (as it is part of the same RP) and returns a 1P access token.<br><br> <br><br>The VC approach in OpenID Connect UserInfo Verifiable Credentials drops the "aud" claim -- making that approach inferior.<br><br>Given the misconceptions, we will add additional non normative language on how a key bound id_token should be used, and where it should not be used.<br><p>Finally, I want to acknowledge that some of the opposition expressed may reflect interpersonal dynamics as well as technical concerns. I trust the chairs will take that into account when weighing the feedback, while focusing on the technical merits of the proposal.</p>/Dick & Ethan<br><br><br></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Sep 15, 2025 at 11:57 PM Michael Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
<div lang="EN-US">
<div>
<p class="MsoNormal"><span style="font-size:11pt">This starts a two-week call for feedback on whether to adopt the OpenID Connect OpenID Connect Key Binding specification contributed to the working group by Dick Hardt and Ethan Heilman as an OpenID Connect
Working Group specification. Please reply-all by Monday, September 29, 2025 saying whether you are favor of adoption or not, also saying why.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">The specification was contributed at
<a href="https://lists.openid.net/pipermail/openid-specs-ab/2025-August/010890.html" target="_blank">
https://lists.openid.net/pipermail/openid-specs-ab/2025-August/010890.html</a>. It has been extensively discussed by the working group both on calls and on the mailing list. From my observations of the discussion as a working group chair, I believe that there
is consensus that it would be useful to have a standard solving the problem addressed by this specification.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"> Writing as a working group chair,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"> -- Mike<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
</div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</div></blockquote></div>