IETF Logo Mail Archive

Re: [OAUTH-WG] Signed JWK Sets

Michael Jones <michael_b_jones@hotmail.com> Sun, 17 March 2024 23:28 UTC

Return-Path: <michael_b_jones@hotmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A923C14F680 for <oauth@ietfa.amsl.com>; Sun, 17 Mar 2024 16:28:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.232
X-Spam-Level:
X-Spam-Status: No, score=-6.232 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0nxOXvO70V6h for <oauth@ietfa.amsl.com>; Sun, 17 Mar 2024 16:28:08 -0700 (PDT)
Received: from NAM04-BN8-obe.outbound.protection.outlook.com (mail-bn8nam04olkn2047.outbound.protection.outlook.com [40.92.47.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D59D2C14F61E for <oauth@ietf.org>; Sun, 17 Mar 2024 16:28:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KimGSa1B8Cew3mBKuVK+i13x886VKjdbCQI/oySzd8To3CbXogPtvcnfApS0xD2cCYga2wDiZqb9SqGsmeUBkgGXZejR0TW5w0Rsecs1yg4wPXLMWdhTPT3rjlMjOLTKB9ax1zixwYThVbjILHg/dKDtyOAvEurdOzVQZX3G1w5j5h01OcXBWQVV7S6k8Kip0s7FsxDNsuEpQK7efUXYoibMlRldQYH9ObDFAJyrq1l1lW90uYaRIUANwR9+k3gZNffnxcOOApObRVwurRzvUOOjY961dGDEPr+TsIBOsaZ3rcKJw9CnKDx0YRbZXpqVnVPZcA6GxIrSFX4LmE70iA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BD+5HTm8bTCbTym9z9OWlZOcCh9vKtISIY/DHNGVMzw=; b=k1cQkatFn18nRJCGuqo4lLgMAMmVFX4+oznxHymC8KMDpZfWkakX3ZOXhFDQFbky+sC+CyYsF5ms8+5RmR+uPWhV6zuxHtu3OuFv2N2r0/6jcYd7fWjIPlLutocYE7wkAlC9/+A5ikhbgjaU1to8o2Jta2h3nPgBcD/fgfPqMcbYcIiZyLfio3XjqG0lsUZV2VGfRnBMd1ZHzbQ2QT+FHuqSAqrOnKxm15Ln1z9nb8PfUTCRmHlDCpZ/WLxAr9FqfrCn8txZb6N7+cbVvkqQJLU7hCYpsb+7lJ4brIBEjow3OZT5OK70sOnsa2IlX/ZTx8qwKTF+lYlXNeDcVohx8Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BD+5HTm8bTCbTym9z9OWlZOcCh9vKtISIY/DHNGVMzw=; b=ttrZJOK+8b8xn5Ow76jWX4RO6+R1/ZsNl7ZRoJLFIBBswQHu5oh0hWH6EqzwNi4YYaXGkqJfNypI3c7gxMk6BA0D+UIMbKvY6+UEzqocnR8dkx4rmHSLCM17JVQYEOpLoN0nq5HzXqBQBtwLQFwroRuNmU5dpb/5BfIBLI85105GsdeRBQI/InYFr5B+ApSvEiEX28SGFAWS9Q71s43athULBTE85jjA8GiQ2Y0P35sRXhrMbgO4A4zxfAcsxj5l2TIe7ltPifQJXyCEpl/SDtLy9DGSyuUH1thbfhabIAR7HxLrlRXjJQYvBLLiS6VzWP/1iPFya4ynmhzdygkwIw==
Received: from PH0PR02MB7430.namprd02.prod.outlook.com (2603:10b6:510:b::9) by SJ2PR02MB9924.namprd02.prod.outlook.com (2603:10b6:a03:53a::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7386.26; Sun, 17 Mar 2024 23:28:04 +0000
Received: from PH0PR02MB7430.namprd02.prod.outlook.com ([fe80::e7a2:25db:bd10:2e90]) by PH0PR02MB7430.namprd02.prod.outlook.com ([fe80::e7a2:25db:bd10:2e90%6]) with mapi id 15.20.7386.025; Sun, 17 Mar 2024 23:28:04 +0000
From: Michael Jones <michael_b_jones@hotmail.com>
To: Richard Barnes <rlb@ipv.sx>, "oauth@ietf.org WG" <oauth@ietf.org>
CC: Sharon Goldberg <goldbe@bastionzero.com>
Thread-Topic: [OAUTH-WG] Signed JWK Sets
Thread-Index: AQHaeC/UUy5MTMaZJku8hmwFtwRvCbE7oQ7QgADz5jA=
Date: Sun, 17 Mar 2024 23:28:03 +0000
Message-ID: <PH0PR02MB7430F04101234A57C5BB5E25B72E2@PH0PR02MB7430.namprd02.prod.outlook.com>
References: <CAL02cgSANrR=nys3RXDOYJPibLkv25X8Okq4dhL0Dpfi_ZSS_A@mail.gmail.com> <SJ0PR02MB7439C916CB3F603C8E41ED53B72E2@SJ0PR02MB7439.namprd02.prod.outlook.com>
In-Reply-To: <SJ0PR02MB7439C916CB3F603C8E41ED53B72E2@SJ0PR02MB7439.namprd02.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-tmn: [f67c5eKqQu0YzhUIzsrtPiu1kIVvd2DV3ZNLyIEjhMOWSu9hwpMCdJFNHWL7+AR0]
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH0PR02MB7430:EE_|SJ2PR02MB9924:EE_
x-ms-office365-filtering-correlation-id: 57fd7222-5d8e-4f2d-9b43-08dc46d9e4ab
x-ms-exchange-slblob-mailprops: Om8TgR6f4EDZ0KewIwZz4yVqxf6eE8qRzR1t52iWz7NOB3xtap2MOrSXN63n5XbZSbUERAwj8REOYqWD/w5AHccEouEKFnG8wRJZWtug60M3tmkzRhg/w2AuX9SGrEpjiky5kNm8fR6kf0A3vEuSvPZDoG0VunC/nMc4jxaA2gf3wAL/d9yZvtrznlzm/ubAbqqlWbBqeAxU8dBP4tIch1S+ntna0B9n89AZ94y4kLxhoK7IN5x2bwp3h9Eqe8/m8NJRDDdiMs2/pTfme4f21mCP/33ti0vzi1tgPCMV115yiAmh0BjEFB303kfx64K12TwePq3M0x5ZBLkvYjldxamoSz5aUG164o64GBbWl92ZaFHL0Bf2P7Nr+qYiV4Mv98UQMqx/ErQMe7YVlHHDUWW3bC7B17k0pM9L3wtwCEpbA9lOAOj4pIvmU0tEnOO/yTiYoElOGJJZiiQtZhGZuyxORse3NMaULbyUIwT9kWKoo6qx9vxJ+Jn90Q6/78ckOJXuTETWlrNw7riqlJOn7mC8m+m+yC5am+ns4lcGVlVG8QHdryzznzJ91dZVyuloNYPsdmY65O27r7JQuEQr1Zr4cpLC3N5dH8fOD/1J4SYLoEh6RxCRQ/cpCQwxoajx6ReeIOf/2iZqNFJ5e++JNJ9b+/AXvCG/u/R1+onnfDGWUn2tG0yU8+0Ej7dHMlQ6Aqkc+H7czf4aOpBPvZtlFocrIoF3AKPkRE30ONP+4rTAO1M9gm5sjYqxEwn+7IOqbSyJ8tKn9OKWt9fdAFkKwxBjShiOfOthpqR6EALQ1pZUxiMOOtT2/j5lhGsKSFYcAlgsGFRr7AGY1xxMirXZS95oKwhxa/mP
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: i88POIdJzUxWAeyLOvsGaCYu6U9SNd+wG5Ux5bweH8QAsAAjn3XiQR9zm8aHNA8jWqZ/tH0XBtR2NGxVtwCsCpCqg2QGcSVZS1aGknTpcip+/Mqv3u4ZmIsw/0GSwp8SjJo64Q82gdVUUAe5sWum05uC66wfGjplrzrjFWGpilLQGKaslwUp4Ytf3zM5S6S1kGXpT1AjpXsHn9Jo3trarErxeCPnVnYaGs6pLte7GVrs4393u+K3thz53BGBlEjhC3FMWlp1TSoVLt+4Cez3YlKFiA3Q871gRuPTo6T+W6ft9DBUdjomVKWKyidwEQruvULpfIOHbuyQncS68iwDdWTutMVKJIPxXKOkA9jW/iKrTr15Gd3Ur4j7QKowzMp0zZjsIpgw7lMkXkV7T0017J7B13VSlxX5a18i6mzsdbTvKDTN0GeevID9s7yRnQr1c1aN/9STwMLUgbi1oRgAmH81Y/AtXptOxHmOuN731N/cWRUDG33aLiXfxYRsJAw2waSWfF9nY+E0yK60D74+Lvr0M8CCt8QNikb0nXaxyF74LPlc1mcxQ9EiJNajJs7vVDS2Q/wSJVPt/nFXrd65+vf0d1K34zxBzaGb1zkiv3YPWMYJuSoOz1z2q2Q+mrmmuR6/NwbLoQxRbZ45+AvI+iTDyQMv1qSFIjeoXGhoAsBqfTmKeCPrc2sLlBrZv4Lp
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: EZ7ka/9roS+h54JvWRbgPDiHJAP+kHvPA9a0CTmobZubPvjPE7qMGp99U8doKG+ZjPJjVs9sLIqtzNKEksj3UrvdA993C5T/K0z3AHHkdNGkTeAxlgVYWDTjWymDs59RzAt60Fqpt5JZejS5YPQjQjt0VX57LdFKZHo1wMC+SYYGi2BFOy9omQnjL1tbHzfGFMDIc2i9SHXlLkuK2epkMF/bEEEWXmKSwV3b2LKDPA1ec70B17NCz69is9U1VhElj/mWYZK1UH4ungqXl2A+5lcR+dhkgw6qQtSPuQ3YvBJMsgXN1H29OtU8jMdc2AV/e/wzKp11EmXk/l+EgWhxBnlXtlJWPKJBAbUvp8+/Om5WRMDyolIGG3wP3J6+TTQ42+MBvlG9aaPmOv5xZa6SefO5aKD9Uj07Lj/dfnGOrzeTvG+cwZFMeNorgqGPXh3g0Ashp/rlhLp1JQtx8WxXB4HUXxpG9hWvmGhMB9fbAmYvEeEAuU1MIqdXz2JjXNRzWvfwQYQqPb0/uXeIh+iJ/lfnzt/2Bnf45Q3op1A2gV/bUUn9doyJKyMFXp35BeK0XQXKcvKPRZYCjSYG323ZLRGba5Q1601yyj3jr+jHUrU/hHPTnF65ICcKQnr9dMyvEE0xWCUMs8LRbl4g3RSDve9/PiP3js8TpXMXSY2cTkGrcsfHkbwnj8BvkP5BmHpNWkqHJfnt7jX168Wb8nyFQoo8S+mdvybhEbRGZr8VGZADzkciExwrhNrZLZOJvf/pdHqC+Eil4y9qVyFLBQQ+CuNFsuNbw3C7Al5AptrQ4J0EgcZl0Df6J+ru8WONxaabm5Mw5g9Nh582w5IAqTObvJjvS6paEyTlwRmb2I/kWFKhb9IIcjMe3WwPKuC/6lxrJdHYNPNcuOSFBFXzQ8CfpkHV+BF860OSivMFMgnTLS/8UYSslEl0b2K3K3p3Fj1bMVMElcp6rNhrhK+ElqQaMm8NeURsXHaRwJqX6lASjp1oRF60rF39Nv5TmhmzhTr9kbCGFkxTxdogWIG+aJ8BrIyfRNlcfqy8mpI+RN+sJB+rgUwZtyWKh2hqeXpxYJ/VeTq2QdfniEp/06O49V0eP2Y3KxE0WJyXUKHpHCRr3N5pQ3SIw5PZA3NJBnIYYV8gf+HbXE3L905N2LIBiDD7qhZ+FoX+Ytg8f+QxH1lI/loin7ml0KxhvPRcS+99Ro1u4Oo58HYxtsc3KgYrHO8opq70Aqlt0rkJqlkNH8Sgx7HHKHY1vZTJhh6GHEO8Sm8tzq+iNsCIHXYIz7m4AUsya3dx4wtfciKw21omiD1LPWE=
Content-Type: multipart/alternative; boundary="_000_PH0PR02MB7430F04101234A57C5BB5E25B72E2PH0PR02MB7430namp_"
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-3d941.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR02MB7430.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 57fd7222-5d8e-4f2d-9b43-08dc46d9e4ab
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Mar 2024 23:28:03.7914 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ2PR02MB9924
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/BSxZZpxV6zkz8T112zeGsB0IHSY>
Subject: Re: [OAUTH-WG] Signed JWK Sets
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Mar 2024 23:28:12 -0000

Also, see the additional key parameter registrations https://openid.net/specs/openid-federation-1_0.html#section-16.8, which can be used to indicate key expiration time, etc.

From: Michael Jones
Sent: Sunday, March 17, 2024 7:00 PM
To: Richard Barnes <rlb@ipv.sx>; oauth@ietf.org WG <oauth@ietf.org>
Cc: Sharon Goldberg <goldbe@bastionzero.com>
Subject: RE: [OAUTH-WG] Signed JWK Sets

Signed JWK Sets are part of the OpenID Federation specification and are in production use.  For instance, see https://openid.net/specs/openid-federation-1_0.html#name-metadata-extensions-for-jwk and the "keys" registration at https://openid.net/specs/openid-federation-1_0.html#name-registry-contents-7.  I believe that should already do what you need.  If you believe it doesn't, I'd be curious to discuss why not with you here in Brisbane.

                                                                Best wishes,
                                                                -- Mike

From: OAuth <oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org>> On Behalf Of Richard Barnes
Sent: Sunday, March 17, 2024 3:55 PM
To: oauth@ietf.org<mailto:oauth@ietf.org> WG <oauth@ietf.org<mailto:oauth@ietf.org>>
Cc: Sharon Goldberg <goldbe@bastionzero.com<mailto:goldbe@bastionzero.com>>
Subject: [OAUTH-WG] Signed JWK Sets

Hi all,

A few of us have been considering use cases for JWTs related to Verifiable Credentials and container signing, which require better "proof of authority" for JWT signing keys.  Sharon Goldberg and I wrote up a quick specification for how to sign a JWK set, and how you might extend discovery mechanisms to present such a signed JWK set:

https://github.com/bifurcation/redistributable-jwks/blob/main/draft-barnes-oauth-redistributable-jwks.md

(Just in GitHub for now; will publish as an I-D when the window reopens tomorrow.)

If we could get this functionality added to OAuth / OIDC, it would make these use cases work a lot better.  As a prelude toward proposing working group adoption, it would be great to know if this design seems helpful to other folks as well.  Obviously, happy to answer any questions / comments.

Thanks,
--Richard

v2.23.0 | Report a Bug | By Email