<div dir="ltr">Hi Steve,<div>Regardless of where the JWTs are signed, the "jwks_uri" specifies the signing key of the Transmitter, so the Receiver must assume that the Transmitter has signed the JWT. In the event that the transport provides the integrity protection, The Receiver can rely on that to confirm that the bits it received were indeed what the Transmitter sent. However, if there are components within the Receiver that need to verify that the JWT came from the Transmitter independently of relying on the transport, then the JWT needs to be signed. This could be "in line" during the processing of the event at the Receiver, or post-fact, say when the Receiver is executing some batch process later.</div><div><br></div><div>Atul</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 13, 2023 at 7:17 AM Steve Venema <<a href="mailto:steve.venema@forgerock.com">steve.venema@forgerock.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><ul style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51,51,51);font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px"><li style="margin-left:15px;box-sizing:border-box"><span style="box-sizing:border-box">Do SSF JWTs need to be signed? Current understanding is that they don’t need to be signed if sent on an integrity protected transport like TLS</span></li></ul></blockquote><div>The SSF architecture seems to treat the SET (JWT) generator as separate from the Transmitter function. Do real implementations approximate this division or are the SET generator and transmitter functions typically combined? In any case, I imagine that a stream consumer would be much more interested in validating the <i>source</i> of the SET than the confidentiality or integrity specifics of the transmitter/receiver transport.</div><div><br></div><div><div dir="ltr"><div dir="ltr">-Steve</div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Mar 7, 2023 at 10:58 PM Atul Tulshibagwale via Openid-specs-risc <<a href="mailto:openid-specs-risc@lists.openid.net" target="_blank">openid-specs-risc@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi all,<div>Sorry for leaving the call early. Here are the notes from today's call. They are also stored <a href="https://hackmd.io/@oidf-wg-sse/wg-meeting-20230308" target="_blank">here</a>.</div><div><br></div><div>Atul</div><div><br></div><span>-- </span><br><div dir="ltr"><div dir="ltr"><span><div dir="ltr" style="margin-left:0pt" align="left"><table style="border:none;border-collapse:collapse"><colgroup><col width="142"><col width="482"></colgroup><tbody><tr style="height:0pt"><td style="vertical-align:middle;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><a href="https://sgnl.ai" target="_blank"><span style="font-size:11pt;font-family:"Work Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><span style="border:none;display:inline-block;overflow:hidden;width:137px;height:68px"><img src="https://lh3.googleusercontent.com/aO7jB_JqOxA0tVDXsAotNQnsfEkxEORgtkVnVFrmkR7O8j3B4lbbRsGFuprzQhfDmri2YH8_dnjPiZnGMZxIcT9xRcdY6rYm-xGophLkgvl_v8istAefyh4qkSVINQtPfcmq5BZiKbfFHmursSUHyll1jEWBTd--nw26MIMKd86Br32rGZkvJwnEED_nzQ" width="137" height="68" style="margin-left: 0px; margin-top: 0px;"></span></span></a></p></td><td style="vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.44;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Work Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Atul Tulshibagwale</span></p><p dir="ltr" style="line-height:1.44;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Work Sans",sans-serif;color:rgb(102,102,102);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">CTO </span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><font size="1"><span style="font-family:"Work Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><span style="border:none;display:inline-block;overflow:hidden;width:20px;height:27px"><a href="https://linkedin.com/in/tulshi" target="_blank"><img src="https://lh6.googleusercontent.com/ezm4lDcLtajK4RMqqHALoRgXyaC4HRlw0wWsR2Jvms0V9Wrxr3x5G66zsUrYpRXyeJ3RwLS3GdKUwO0Ui5mXPodSkUx8Xsarf_vj6WlJ05Y1qJoMFTlCZnEgtHvlJ7_7Dr7zWNjkvf3nMW9u1P5ye76SeHgz2QqGQ_rm-sjqYOS-vH1UZL7Yiewi4UO3Qw" width="20" height="27" style="margin-left: 0px; margin-top: 0px;"></a> </span></span><span style="font-family:"Work Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><span style="border:none;display:inline-block;overflow:hidden;width:20px;height:27px"><a href="https://twitter.com/zirotrust" target="_blank"><img src="https://lh6.googleusercontent.com/HAnAvykj318aQf5zTUZkjIJDtwelDecFi5d-idBrpUDBj7aKTdup5Mfia6UIbXTAP46zg7gigNnroQ9he3j81Sf9qCRRSS-w_nZ3oSXJnYLbPlCXgt6IqoifgHXETuJSRvFIZRIdn_aAbtp8ilKFyIVuTXjVe6cNAfXc5KZNwJeYinwfZZxVvHHaR5uIdQ" width="20" height="27" style="margin-left: 0px; margin-top: 0px;"></a> </span></span><a href="mailto:atul@sgnl.ai" target="_blank"><img src="https://lh3.googleusercontent.com/63PpVJLMybZyfD61JVu0TVH_KkP_IhneeBpDNvbd1KeSFJn6KZzWCgp4hFbrTrIxfksYyM-_wOjNKbjEhSQ2khRXVI3XKcwABLNLI_bFjkN0_NgVoijs_nIRcVJKeQm0s0MRdtkUkCOp5Omyv1faqcNiQxGEUyAvmE9HkeeQCeHa-LxleK0oHSAyQrDY6g" width="21" height="21" style="background-color: transparent; color: rgb(0, 0, 0); font-family: Arial; white-space: pre-wrap; margin-left: 0px; margin-top: 0px;"></a></font></p></td></tr></tbody></table><br></div><div dir="ltr" style="margin-left:0pt" align="left">---</div><div dir="ltr" style="margin-left:0pt" align="left"><h2 id="m_-7508985480308857974m_3747240506673312536gmail-Agenda" style="box-sizing:border-box;font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;padding-bottom:0.3em;border-bottom:1px solid rgb(238,238,238);letter-spacing:0.35px"><span style="box-sizing:border-box">Agenda</span></h2><ul style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51,51,51);font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px"><li style="box-sizing:border-box"><span style="box-sizing:border-box">[Atul] Review </span><a href="https://github.com/openid/sharedsignals/issues" rel="noopener" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none" target="_blank"><span style="box-sizing:border-box">open issues</span></a></li><li style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">[Atul] Discuss making jwks_uri optional (</span><a href="https://github.com/openid/sharedsignals/issues/44" rel="noopener" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none" target="_blank"><span style="box-sizing:border-box">Open Issue #44</span></a><span style="box-sizing:border-box">)</span></li><li style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">[Atul] Create stream issues (</span><a href="https://github.com/openid/sharedsignals/issues/45" rel="noopener" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none" target="_blank"><span style="box-sizing:border-box">#45</span></a><span style="box-sizing:border-box"> and </span><a href="https://github.com/openid/sharedsignals/issues/46" rel="noopener" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none" target="_blank"><span style="box-sizing:border-box">#46</span></a><span style="box-sizing:border-box">)</span></li></ul><h2 id="m_-7508985480308857974m_3747240506673312536gmail-Attendees" style="box-sizing:border-box;font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;padding-bottom:0.3em;border-bottom:1px solid rgb(238,238,238);letter-spacing:0.35px"><a href="https://hackmd.io/xJwP1JHKQs6YLhVDEtdLKQ?view#Attendees" title="Attendees" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1" target="_blank"><span style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">Attendees</span></h2><ul style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51,51,51);font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px"><li style="box-sizing:border-box"><span style="box-sizing:border-box">Atul Tulshibagwale (SGNL)</span></li><li style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Debora Comparin (Thales)</span></li><li style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Eric Karlinsky (Okta)</span></li><li style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Greg Brown (Axiad)</span></li><li style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Peter Travers (Beyond Identity)</span></li><li style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Shayne Miel (Cisco)</span></li><li style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Topher Marie (Strata)</span></li><li style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Tim Cappalli (Microsoft)</span></li></ul><h2 id="m_-7508985480308857974m_3747240506673312536gmail-Notes" style="box-sizing:border-box;font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;padding-bottom:0.3em;border-bottom:1px solid rgb(238,238,238);letter-spacing:0.35px"><a href="https://hackmd.io/xJwP1JHKQs6YLhVDEtdLKQ?view#Notes" title="Notes" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1" target="_blank"><span style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">Notes</span></h2><h3 id="m_-7508985480308857974m_3747240506673312536gmail-JWKS-URI-44" style="box-sizing:border-box;font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;font-size:1.25em;letter-spacing:0.35px"><a href="https://hackmd.io/xJwP1JHKQs6YLhVDEtdLKQ?view#JWKS-URI-44" title="JWKS-URI-44" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1" target="_blank"><span style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">JWKS URI (#44)</span></h3><ul style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51,51,51);font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px"><li style="box-sizing:border-box"><span style="box-sizing:border-box">Do SSF JWTs need to be signed? Current understanding is that they don’t need to be signed if sent on an integrity protected transport like TLS</span></li><li style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Can we make the jwks_uri field in the Transmitter Configuration Metadata optional? Yes, [Eric], no objections</span></li></ul><h3 id="m_-7508985480308857974m_3747240506673312536gmail-Create-Stream-Issues-45" style="box-sizing:border-box;font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;font-size:1.25em;letter-spacing:0.35px"><a href="https://hackmd.io/xJwP1JHKQs6YLhVDEtdLKQ?view#Create-Stream-Issues-45" title="Create-Stream-Issues-45" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1" target="_blank"><span style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">Create Stream Issues (#45)</span></h3><ul style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51,51,51);font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px"><li style="box-sizing:border-box"><span style="box-sizing:border-box">Discovering “events_supported” before creating a stream:</span></li><li style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Requirement seems real, we can alter the response to pull “events_supported” out of each stream’s configuration</span></li><li style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">We could add a separate endpoint to get the events supported</span></li><li style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Separate endpoint is the preferred option in the call (Shayne, Tim and Peter). The endpoint couldbe called “get events supported”</span></li><li style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">We should not remove the “events_supported” field from the existing response to “get stream configuration” because the events supported may be different per stream</span></li><li style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">We should not have a “stream id” parameter to the new endpoint to “get supported events”</span></li></ul><h3 id="m_-7508985480308857974m_3747240506673312536gmail-Create-Stream-Issue-46" style="box-sizing:border-box;font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;font-size:1.25em;letter-spacing:0.35px"><a href="https://hackmd.io/xJwP1JHKQs6YLhVDEtdLKQ?view#Create-Stream-Issue-46" title="Create-Stream-Issue-46" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1" target="_blank"><span style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">Create Stream Issue (#46)</span></h3><ul style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51,51,51);font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px"><li style="box-sizing:border-box"><span style="box-sizing:border-box">Continue discussion next time</span></li></ul><h2 id="m_-7508985480308857974m_3747240506673312536gmail-Action-Items" style="box-sizing:border-box;font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;padding-bottom:0.3em;border-bottom:1px solid rgb(238,238,238);letter-spacing:0.35px"><a href="https://hackmd.io/xJwP1JHKQs6YLhVDEtdLKQ?view#Action-Items" title="Action-Items" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1" target="_blank"><span style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">Action Items</span></h2></div></span></div></div></div>
_______________________________________________<br>
Openid-specs-risc mailing list<br>
<a href="mailto:Openid-specs-risc@lists.openid.net" target="_blank">Openid-specs-risc@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-risc" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-risc</a><br>
</blockquote></div>
</blockquote></div>