SIOP Issue 3 - Support for attesting keys from the past

Issue #1181 resolved
Tobias Looker created an issue

Currently as per the specification for SIOP today the sub field of the id token returned in a SIOP response requires it to be the JWK thumbprint of the sub_jwk value that must also be present in the response. This relationship therefore prevents cryptographic good practise by eliminating the ability to perform key rotation of the sub_jwk value without creating another sub value (hence a new identity to relying parties). This point is summarized in the presentation I did at SIOP meetup 2 in slides 8-to-12 of this presentation.

Essentially the suggested resolution (captured on slide 10) is that there needs to be a breaking change around this statement for SIOP that redefines this to allow for key rotation.

Comments (5)

  1. Log in to comment