[Openid-specs-risc] openid/sharedsignals: New Issue opened
github at oidf.org
github at oidf.org
Fri Feb 9 14:27:30 UTC 2024
openid/sharedsignals event
Issue opened
Issue Title: Proposal to add jwks.json to Receiver
https://github.com/openid/sharedsignals/issues/140
In the current SSF spec, the Transmitter can make a `jwks.json` file available to its Receivers. This allows the Transmitter to sign the JWTs that it is sending the Receiver, so that the Receiver can verify that the security event tokens (SETs) are not forged by some third party. However, these security event tokens often contain personally identifying information (PII) and some vendors may wish to be able to _encrypt_ the SET, not just sign it. In order to do that, the Transmitter would need the Receiver to share a public key. I propose that we add language to the spec to make it clear that a Receiver MAY provide well-known and `jwks.json` endpoints for this purpose. The current spec treats Receivers as an afterthought - all of the language is around what Transmitters MAY and MUST do. This would give us an opportunity to make Receivers more of a first class citizen in the SSF spec.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20240209/3d0bad6b/attachment.html>
More information about the Openid-specs-risc
mailing list