[Openid-specs-risc] Unsigned SETs in SSF events
Atul Tulshibagwale
atul at sgnl.ai
Mon Feb 27 18:00:36 UTC 2023
Hi all,
In a discussion last week, the issue of perceived complexity of the Shared
Signals Framework came up, and one question within that was whether SSF
allows SETs to be unsigned. Section 11.1.8.1 of the SSF spec
<https://github.com/openid/sharedsignals/blob/main/openid-sharedsignals-framework-1_0.txt>
does not specify that the SETs should be signed, and the SET spec
<https://www.rfc-editor.org/rfc/rfc8417.html#section-5.1> (section 5.1)
also says that "Unless integrity of the JWT is ensured by other means, it
MUST be signed using JWS [RFC7515] by an issuer that is trusted to do so
for the use case so that the SET can be authenticated and validated by the
SET recipient."
So since the DELIVERYPUSH and DELIVERYPOLL methods offer integrity
protection, neither of the specs require SETs to be signed.
Is my understanding correct?
Thanks,
Atul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20230227/bb1c2981/attachment.html>
More information about the Openid-specs-risc
mailing list