<div dir="ltr">I don't remember FastFed doing anything special on this matter. Apparently, a URL in jwks_uri should use the https scheme (1) and this is an unprotected / publicly available endpoint (2). So, in other words, you completely rely on DNS and TLS.<br><br><div>The OpenID Connect 1.0 / OAuth 2.0 allows signing its metadata (see RFC 8414). However, I doubt they are signing the kyes in jwks_uri, or anything like that.</div><div><div><br>Then, what's and was very interesting to me is the way that OpenID Connect Federation spec and WG handle this. First of all, they have two properties, namely jwks_uri, and signed_jwks_uri (the names speak for themselves). Secondly, they define a special endpoint called "historical kyes" that contains the list of previously used keys. See <a href="https://openid.net/specs/openid-connect-federation-1_0.html#name-op-metadata">https://openid.net/specs/openid-connect-federation-1_0.html#name-op-metadata</a> for more details. This endpoint also includes revoked keys but probably, those keys make sense only in their context.. they have quite specific requirements/goals. </div><div><br></div><div>The SSF WG may want to reuse ideas behind signed_jwks_uri and the historical keys endpoint in one or another way.</div><div><br></div><div>There is a number of other specs that use jwks_uri as well, but again I also do not remember anything specific, as an example, take a look at "OAuth 2.0 Dynamic Client Registration Protocol".</div><div><br></div><div>Lastly, I think if a malicious actor somehow manages to get hold of a session between the transmitter and the receiver then he can simply "strip" SET events he wants, as an example, a TLS session isn't always created between two parties (there a bunch of network intermediaries that perform SSL offloading, various DPIs, etc.). In this particular case, the keys in any JWKS endpoints aren't going to help, and you might want to look at additional security mechanisms/controls such as HTTP Message Signatures.</div><div><br></div><div>Regards,</div><div>Andrii</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Apr 13, 2023 at 8:43 AM Atul Tulshibagwale via Openid-specs-risc <<a href="mailto:openid-specs-risc@lists.openid.net">openid-specs-risc@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">How do other specs such as FastFed handle the jwks_uri?</div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Apr 13, 2023 at 7:23 AM Shayne Miel (smiel) via Openid-specs-risc <<a href="mailto:openid-specs-risc@lists.openid.net" target="_blank">openid-specs-risc@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
What are the expectations around the jwks_uri? The TransmitterConfiguration must list the URI where you can get the JWKS, but nothing is said in the spec about how or whether we should secure that URI. Since all of the security of the SETs being sent from the
Transmitter is held in that JWKS value, should we be specific about how to secure that endpoint? Or do we leave that up to the Transmitter to decide?</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
- Shayne</div>
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div id="m_1736218444659907530m_7916048427554185412Signature">
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<table style="box-sizing:border-box;border-collapse:collapse;border-spacing:0px;max-width:100%;font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12px;text-align:start;color:rgb(51,51,51)">
<tbody style="box-sizing:border-box">
<tr style="box-sizing:border-box">
<td width="50" style="box-sizing:border-box"><img src="cid:1877b490f5fa14a9e941" style="width: 100px; max-width: 100%;"><br>
</td>
<td width="10" style="box-sizing:border-box"><img width="10" height="50" style="box-sizing: border-box; vertical-align: middle; display: block; width: 10px; height: 50px; max-width: initial;" src="https://duo.com/assets/img/email/spacer.gif"></td>
<td style="box-sizing:border-box">
<div style="box-sizing:border-box;margin:0px;font-family:Helvetica,sans-serif;display:inline">
<strong style="box-sizing:border-box;font-weight:bold;display:inline">Shayne Miel</strong><span> </span>
<div style="box-sizing:border-box;margin:0px;display:inline"><span style="box-sizing:border-box;color:rgb(153,153,153)">/</span><span> </span><span style="box-sizing:border-box">Principal Engineer (he, him, his)</span></div>
<div style="box-sizing:border-box;margin:0px;display:inline"><br style="box-sizing:border-box">
<a href="mailto:smiel@cisco.com" style="box-sizing:border-box;color:rgb(99,178,70)" target="_blank"><span style="color:rgb(23,78,134)">smiel@cisco.com</span></a></div>
<div style="box-sizing:border-box;margin:0px;display:inline"><br style="box-sizing:border-box">
<span style="box-sizing:border-box">(919) 923-6230</span><span style="box-sizing:border-box"></span></div>
<div style="box-sizing:border-box;margin:0px;display:inline"><br style="box-sizing:border-box;display:inline">
<a href="https://www.cisco.com/site/us/en/products/security/index.html" title="https://www.cisco.com/site/us/en/products/security/index.html" target="_blank"><span style="color:rgb(23,78,134)">cisco.com</span></a><br>
</div>
</div>
</td>
<td style="box-sizing:border-box"><img width="1" height="50" style="box-sizing: border-box; vertical-align: middle; display: block;" src="https://duo.com/assets/img/email/spacer.gif"></td>
</tr>
<tr style="box-sizing:border-box">
<td colspan="4" style="box-sizing:border-box"><br>
</td>
</tr>
</tbody>
</table>
<br>
</div>
</div>
</div>
</div>
</div>
_______________________________________________<br>
Openid-specs-risc mailing list<br>
<a href="mailto:Openid-specs-risc@lists.openid.net" target="_blank">Openid-specs-risc@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-risc" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-risc</a><br>
</blockquote></div></div>
_______________________________________________<br>
Openid-specs-risc mailing list<br>
<a href="mailto:Openid-specs-risc@lists.openid.net" target="_blank">Openid-specs-risc@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-risc" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-risc</a><br>
</blockquote></div>