<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">It depends on whether the certificate has a trust chain/anchor. If you can verify the signing issuer it doesn’t matter how you got the key because you can prove it’s origin. <div><br></div><div>But if the SSF server issued the key itself, then you need to verify the source of the public key by using TLS in order to have a chain of trust. </div><div><br><div dir="ltr">Phil</div><div dir="ltr"><br><blockquote type="cite">On Apr 13, 2023, at 7:23 AM, Shayne Miel (smiel) via Openid-specs-risc <openid-specs-risc@lists.openid.net> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">
What are the expectations around the jwks_uri? The TransmitterConfiguration must list the URI where you can get the JWKS, but nothing is said in the spec about how or whether we should secure that URI. Since all of the security of the SETs being sent from the
Transmitter is held in that JWKS value, should we be specific about how to secure that endpoint? Or do we leave that up to the Transmitter to decide?</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">
- Shayne</div>
<div class="elementToProof">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div id="Signature">
<div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<table style="box-sizing: border-box; border-collapse: collapse; border-spacing: 0px; max-width: 100%; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 12px; text-align: start; color: rgb(51, 51, 51);">
<tbody style="box-sizing:border-box">
<tr style="box-sizing:border-box">
<td width="50" style="box-sizing:border-box"><div><Outlook-xa12egry.png></div><br>
</td>
<td width="10" style="box-sizing:border-box"><img width="10" height="50" style="box-sizing: border-box; vertical-align: middle; display: block; width: 10px; height: 50px; max-width: initial;" src="https://duo.com/assets/img/email/spacer.gif" data-unique-identifier=""></td>
<td style="box-sizing:border-box">
<div style="box-sizing:border-box; margin:0px; font-family:Helvetica,sans-serif; display:inline">
<strong style="box-sizing:border-box; font-weight:bold; display:inline">Shayne Miel</strong><span> </span>
<div style="box-sizing:border-box; margin:0px; display:inline"><span style="box-sizing: border-box; color: rgb(153, 153, 153);">/</span><span> </span><span style="box-sizing:border-box">Principal Engineer (he, him, his)</span></div>
<div style="box-sizing:border-box; margin:0px; display:inline"><br style="box-sizing:border-box">
<a href="mailto:smiel@cisco.com" style="box-sizing: border-box; color: rgb(99, 178, 70);" data-loopstyle="link"><span style="color: rgb(23, 78, 134);">smiel@cisco.com</span></a></div>
<div style="box-sizing:border-box; margin:0px; display:inline"><br style="box-sizing:border-box">
<span style="box-sizing:border-box">(919) 923-6230</span><span style="box-sizing:border-box"></span></div>
<div style="box-sizing:border-box; margin:0px; display:inline"><br style="box-sizing:border-box; display:inline">
<a href="https://www.cisco.com/site/us/en/products/security/index.html" title="https://www.cisco.com/site/us/en/products/security/index.html" data-loopstyle="link"><span style="color: rgb(23, 78, 134);">cisco.com</span></a><br>
</div>
</div>
</td>
<td style="box-sizing:border-box"><img width="1" height="50" style="box-sizing:border-box; vertical-align:middle; display:block" src="https://duo.com/assets/img/email/spacer.gif" data-unique-identifier=""></td>
</tr>
<tr style="box-sizing:border-box">
<td colspan="4" style="box-sizing:border-box"><br>
</td>
</tr>
</tbody>
</table>
<br>
</div>
</div>
</div>
</div>
<span>_______________________________________________</span><br><span>Openid-specs-risc mailing list</span><br><span>Openid-specs-risc@lists.openid.net</span><br><span>https://lists.openid.net/mailman/listinfo/openid-specs-risc</span><br></div></blockquote></div></body></html>