[OAUTH-WG] Getting software statements
Ben van Hartingsveldt | Yocto <ben.vanhartingsveldt@yocto.com> Sat, 27 June 2026 21:36 UTC
Return-Path: <ben.vanhartingsveldt@yocto.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 39D4F108E7AD4 for <oauth@mail2.ietf.org>; Sat, 27 Jun 2026 14:36:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1782596203; bh=oJfE7W2Q2bYKifvRSEzlGRfvNuIkovck0wTFKEIsgKI=; h=Date:From:To:Subject; b=MJt68epOOXmH+aUlZrbYnU4BfyCJYiuc1NLxgOOvoYtXUL/z0eClu/iSljLSAdK4W NnU5+ZYoZIyFFpYEkMkZRCjGpb1Sn/c0xNkgWOyTlZpqhZai+GGesManyCJ8boRZkP mD/lvqOVvED38nKwsUyJIAOsTGlBOa/6DwYEKmSQ=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xU6qZX79wglO for <oauth@mail2.ietf.org>; Sat, 27 Jun 2026 14:36:41 -0700 (PDT)
Received: from mx2.yocto.eu (ns2.yoctodns.com [136.144.225.232]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 247C0108E7A2D for <oauth@ietf.org>; Sat, 27 Jun 2026 14:36:09 -0700 (PDT)
MIME-Version: 1.0
Authentication-Results: mx2.yocto.eu; auth=pass smtp.mailfrom=ben.vanhartingsveldt@yocto.com
Date: Sat, 27 Jun 2026 21:36:02 +0000
From: Ben van Hartingsveldt | Yocto <ben.vanhartingsveldt@yocto.com>
To: oauth@ietf.org
Message-ID: <26abc70beaf1b0792d51c02e4b65a8d5@yocto.com>
X-Sender: ben.vanhartingsveldt@yocto.com
Organization: Yocto
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spamd-Bar: -
Message-ID-Hash: 3LOXMVYKKMSGE2I35HW6NJDSDXNXYHTK
X-Message-ID-Hash: 3LOXMVYKKMSGE2I35HW6NJDSDXNXYHTK
X-MailFrom: ben.vanhartingsveldt@yocto.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Getting software statements
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/FkqF0xN9hJIC3IJxpcE39WHBqHM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Hello all, Recently I started investigating in developing Android apps (so public clients) for my products. I use Dynamic Client Registration (DCR) and want to use Software Statement Assertion (SSA) too. Now I am wondering if I should hardcode my software statement in the app, or that I should host the software statement on a HTTPS location I own. With the first option, I may not be able to resign the software statement with a new private key if I have to; with the last option, I have no standardized way to get the software statement. Is there some plan to make it possible to discover software statements by `software_id` and `software_version` in combination with some .well-known or DNS mechanism? And am I doing things right in the first place? Thanks in advance Ben
- [OAUTH-WG] Re: Getting software statements Michael Schwartz
- [OAUTH-WG] Getting software statements Ben van Hartingsveldt | Yocto
- [OAUTH-WG] Re: Getting software statements Ben van Hartingsveldt | Yocto