Re: [OAUTH-WG] Signed JWK Sets
James Carnegie <kipz@docker.com> Thu, 18 April 2024 09:06 UTC
Return-Path: <james.carnegie@docker.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 533F0C14F6BD for <oauth@ietfa.amsl.com>; Thu, 18 Apr 2024 02:06:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.143
X-Spam-Level:
X-Spam-Status: No, score=-4.143 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-2.049, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=docker.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mPJIB_H_6H74 for <oauth@ietfa.amsl.com>; Thu, 18 Apr 2024 02:06:42 -0700 (PDT)
Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B47C1C14F6B2 for <oauth@ietf.org>; Thu, 18 Apr 2024 02:06:42 -0700 (PDT)
Received: by mail-pl1-x630.google.com with SMTP id d9443c01a7336-1e834159f40so5291105ad.2 for <oauth@ietf.org>; Thu, 18 Apr 2024 02:06:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=docker.com; s=google; t=1713431202; x=1714036002; darn=ietf.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=ofdpM6aO/KglemG4Nnngxh+3UND9HZ11kXjUUChhW2Q=; b=Hy4Soe4dwHfYNQbnObj4mGOzmNBwv5h1fIVGk24QQG0pGUeZRGX8jT7whQCr+9Q1sz uI+Ni4/2DjDJr3FGK/7+gOeff4sNoXnBMBSP5JkGbixHN2xp4EvZb3l3wCSFPQfZxzsU CXZM2Ebcv8zXtzw913gYrHQLQvsvYjprZXra0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713431202; x=1714036002; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=ofdpM6aO/KglemG4Nnngxh+3UND9HZ11kXjUUChhW2Q=; b=KTVUuz6mbztIajpmKkqwqIzPwF6MD8+aSQjTs29vohq2YO88HzSvkETGagIu+zLEhE cdN2SPiS6l5Q70ejrQ5CNq/u9Tr+I2QiFsyuJVn+3NzdTr5QWCHauAKlS9//WCCKyRQT udL61UQ7U9pZdRfZrwaSQI/lgnwIutzCpIxEFL9o0/atmmaKwZgaRt0EhaEe89QpxoIJ OzF/TsA4vEMTkLdk2IL8YSrukuSuRrb4xq4yXYxZxnXjCPV7cFCtipBk6q7Hzzgqs+7t mNakQIu1T9fGuhaytFc4G8PlMdlUzrM8i1+YzaXa5Jy2lFiM7WiNljBHZgZDRoIgz561 mXlA==
X-Gm-Message-State: AOJu0YxCKd27rMMR15v/LImWrv0XgCgBnXsVeK8uGfNayXoIzTWJHpjF T+OQOMq0d1UGbqaszrOqDlo5uF3yeWoNL0qAoN6TkRqbbPjqahMj8LyRMW7W26Al7SAPWiKpbwy ZBveTo08kz0qBSbR0A5tA0PvzSuE7WMtLcFuxo8NQWbFlLfaI
X-Google-Smtp-Source: AGHT+IGGnKHzf4CdKOriOYQ7O0e/1tBtj+NAIZIyDjP12il/T6kl9oaZXDEk6iQM2VN92Z6y0/zalLBO+RXVxZW/Iyo=
X-Received: by 2002:a17:902:c40c:b0:1e5:3554:d9db with SMTP id k12-20020a170902c40c00b001e53554d9dbmr2338668plk.64.1713431201585; Thu, 18 Apr 2024 02:06:41 -0700 (PDT)
MIME-Version: 1.0
From: James Carnegie <kipz@docker.com>
Date: Thu, 18 Apr 2024 10:06:32 +0100
Message-ID: <CAOF4XvAvcu9JCh2nq6i_fB1UED6D9TcFb4MddcYiibAbOq7Adw@mail.gmail.com>
To: oauth@ietf.org
Cc: goldbe@bastionzero.com, richbarn@cisco.com
Content-Type: multipart/alternative; boundary="0000000000001e39d206165b4a51"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/t6xXAt0QiCPltJqXkya-oFWyv14>
Subject: Re: [OAUTH-WG] Signed JWK Sets
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2024 10:04:55 -0000
Hi there, FWIW, this is a really interesting proposal, and I recognise the use case in 1.2. Use Case: Verifying Stored Signature. >From a Docker perspective, being able to sign attestations on container images using workload identity (i.g. GitHub) using something like OpenPubkey (https://github.com/openpubkey/openpubkey) would be great, and this proposal would help us to verify signatures created under previous (expired) OIDC public keys. Thanks, James Carnegie (supply chain engineer at Docker)
- Re: [OAUTH-WG] Signed JWK Sets John Zila
- [OAUTH-WG] Signed JWK Sets Richard Barnes
- Re: [OAUTH-WG] Signed JWK Sets Michael Jones
- Re: [OAUTH-WG] Signed JWK Sets Michael Jones
- Re: [OAUTH-WG] Signed JWK Sets Watson Ladd
- Re: [OAUTH-WG] Signed JWK Sets Richard Barnes
- Re: [OAUTH-WG] Signed JWK Sets Richard Barnes
- Re: [OAUTH-WG] Signed JWK Sets Watson Ladd
- Re: [OAUTH-WG] Signed JWK Sets Joseph Salowey
- Re: [OAUTH-WG] Signed JWK Sets Orie Steele
- Re: [OAUTH-WG] Signed JWK Sets Richard Barnes
- Re: [OAUTH-WG] Signed JWK Sets Ethan Heilman
- Re: [OAUTH-WG] Signed JWK Sets Neil Madden
- Re: [OAUTH-WG] Signed JWK Sets Ethan Heilman
- Re: [OAUTH-WG] Signed JWK Sets Joseph Salowey
- Re: [OAUTH-WG] Signed JWK Sets Neil Madden
- Re: [OAUTH-WG] Signed JWK Sets Neil Madden
- Re: [OAUTH-WG] Signed JWK Sets Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Signed JWK Sets James Carnegie