Re: [OAUTH-WG] Signed JWK Sets

Michael Jones <michael_b_jones@hotmail.com> Sun, 17 March 2024 08:59 UTC

From: Michael Jones <michael_b_jones@hotmail.com>
To: Richard Barnes <rlb@ipv.sx>, "oauth@ietf.org WG" <oauth@ietf.org>
CC: Sharon Goldberg <goldbe@bastionzero.com>
Thread-Topic: [OAUTH-WG] Signed JWK Sets
Thread-Index: AQHaeC/UUy5MTMaZJku8hmwFtwRvCbE7oQ7Q
Date: Sun, 17 Mar 2024 08:59:34 +0000
Message-ID: <SJ0PR02MB7439C916CB3F603C8E41ED53B72E2@SJ0PR02MB7439.namprd02.prod.outlook.com>
References: <CAL02cgSANrR=nys3RXDOYJPibLkv25X8Okq4dhL0Dpfi_ZSS_A@mail.gmail.com>
In-Reply-To: <CAL02cgSANrR=nys3RXDOYJPibLkv25X8Okq4dhL0Dpfi_ZSS_A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 1IApEsKsBNYNq/YbSHwTC0fGcnS3ZUuFhGN8aH5iJpdQN5/J266URsq5YiMHLYLeqAHd1pZtcSpRbH1Gh60usVRjYi7aBBmWYreuH6WiboHxGTpqvC8sZOQUjlc3Kqr8aX6Ie6iNEMZcbpSPl16BjvAO4+WY5nt1d8wy1s0UB7Asns28MODOpePKU4j/aHVmWeGZI01ir/CfrDX71QwRUsdMCCF0MqvLXsMPauY+fHUWfnvMzwGnwTir76I66idTy4hLhdFLH1xkNs/ot82A59uj4eYG9gYGf8RZL1CtSsbodAIkBnkUTviLLodkWzzj1CBmhYilIS4Wl0Kp6XNydUsFRXiATYgPTHjY/NVIEbW2k7jHbTxwJADfiOrRXORgy6kuFs9Jn2TThqIUlVcbcNsvndf+kXgavPzCt8Eo/iLh+lnrE+tFmClazGbEId/mWLRSYqgZ3VwNBTmbU/coxkXstUS5jCTauVvg47Xb4eoWZxx/9t0c6F9P8oC6ldWHleHK11nT/z9Ciu2AjyhRwq1QySGhfWOY3n8IgjUe3qk7Xqd0LrfrQFvBOKI47cCPBgzoPaGm14+R6HxG1wjXlobbhwgv98ikYSkvJsis9qIGNWlNcNgT4rqbTuuFzdAO+hFS9kP9v99EUBNnQS9ntD74GbsP9brqhISjNY8p764LpVAOz7MInGoPK6af017xnpk4DFqi8z+9jfBtEkJmSl9KVa1SfYhqW98FnrkrZGbYXVmJknbCo6fnz5mlsMdFHlF03pMoRUZTtXiVZXU/iB/oucxwezMZ0ihPYXPE6CURAbp1teJTPz/Kfv0fwYuz6j8572XIFlZYZegDPWtcSeJ8vLNCmOQw3rxW6g+FJekKR9qBmSKScWQOyX2d1QmdFQYG6+sYre9Ds7UoGcFJ2ACVsrOCJs8G14vNMsfsw6VOrdAjBe0ykBScGgJl09mznO3WKoOKg0fbph/7ziA5+Q/7hjOZfkRj9XmUE8Q1yV6VbpzlD3/STa7tkL4u23mLQWVCHKUPxEs443iesAMpZ7hBnWgnF80PvJ1ZeLnCWSJqrlL5jkV0I1ykvObMESuTzKHlFMi9hH1h6V2wmEY06G11WSX4VKDCjnW6D0GuCV+QS4w0w4kUmqJuDUtYlpqBw4Zir1lURPJQeiqTV6eIbMkapukYnai9VxlyYzcmhBtey3eyo3ZwTK8u3dFJ9YNWSq0XaakMTsypYvQIrkBSTw7QUFeKYAZgT+8dVjYqy8tW4s1q2C1ZmvVjf44teGAQ
Content-Type: multipart/alternative; boundary="_000_SJ0PR02MB7439C916CB3F603C8E41ED53B72E2SJ0PR02MB7439namp_"
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-99c3d.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR02MB7439.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 737289e7-0dbe-467a-b94a-08dc46609103
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Mar 2024 08:59:34.3292 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR02MB6778
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/O4hOWph9lFuEVkgGfG_uNzeyfmg>
Subject: Re: [OAUTH-WG] Signed JWK Sets
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Mar 2024 08:59:41 -0000

Signed JWK Sets are part of the OpenID Federation specification and are in production use.  For instance, see https://openid.net/specs/openid-federation-1_0.html#name-metadata-extensions-for-jwk and the "keys" registration at https://openid.net/specs/openid-federation-1_0.html#name-registry-contents-7.  I believe that should already do what you need.  If you believe it doesn't, I'd be curious to discuss why not with you here in Brisbane.

                                                                Best wishes,
                                                                -- Mike

From: OAuth <oauth-bounces@ietf.org> On Behalf Of Richard Barnes
Sent: Sunday, March 17, 2024 3:55 PM
To: oauth@ietf.org WG <oauth@ietf.org>
Cc: Sharon Goldberg <goldbe@bastionzero.com>
Subject: [OAUTH-WG] Signed JWK Sets

Hi all,

A few of us have been considering use cases for JWTs related to Verifiable Credentials and container signing, which require better "proof of authority" for JWT signing keys.  Sharon Goldberg and I wrote up a quick specification for how to sign a JWK set, and how you might extend discovery mechanisms to present such a signed JWK set:

https://github.com/bifurcation/redistributable-jwks/blob/main/draft-barnes-oauth-redistributable-jwks.md

(Just in GitHub for now; will publish as an I-D when the window reopens tomorrow.)

If we could get this functionality added to OAuth / OIDC, it would make these use cases work a lot better.  As a prelude toward proposing working group adoption, it would be great to know if this design seems helpful to other folks as well.  Obviously, happy to answer any questions / comments.

Thanks,
--Richard

Re: [OAUTH-WG] Signed JWK Sets John Zila
[OAUTH-WG] Signed JWK Sets Richard Barnes
Re: [OAUTH-WG] Signed JWK Sets Michael Jones
Re: [OAUTH-WG] Signed JWK Sets Michael Jones
Re: [OAUTH-WG] Signed JWK Sets Watson Ladd
Re: [OAUTH-WG] Signed JWK Sets Richard Barnes
Re: [OAUTH-WG] Signed JWK Sets Richard Barnes
Re: [OAUTH-WG] Signed JWK Sets Watson Ladd
Re: [OAUTH-WG] Signed JWK Sets Joseph Salowey
Re: [OAUTH-WG] Signed JWK Sets Orie Steele
Re: [OAUTH-WG] Signed JWK Sets Richard Barnes
Re: [OAUTH-WG] Signed JWK Sets Ethan Heilman
Re: [OAUTH-WG] Signed JWK Sets Neil Madden
Re: [OAUTH-WG] Signed JWK Sets Ethan Heilman
Re: [OAUTH-WG] Signed JWK Sets Joseph Salowey
Re: [OAUTH-WG] Signed JWK Sets Neil Madden
Re: [OAUTH-WG] Signed JWK Sets Neil Madden
Re: [OAUTH-WG] Signed JWK Sets Rifaat Shekh-Yusef
Re: [OAUTH-WG] Signed JWK Sets James Carnegie