- edited description
SIOP Issue 3 - Support for attesting keys from the past
Currently as per the specification for SIOP today the sub
field of the id token returned in a SIOP response requires it to be the JWK thumbprint of the sub_jwk
value that must also be present in the response. This relationship therefore prevents cryptographic good practise by eliminating the ability to perform key rotation of the sub_jwk
value without creating another sub
value (hence a new identity to relying parties). This point is summarized in the presentation I did at SIOP meetup 2 in slides 8-to-12 of this presentation.
Essentially the suggested resolution (captured on slide 10) is that there needs to be a breaking change around this statement for SIOP that redefines this to allow for key rotation.
Comments (5)
-
reporter -
Breaking change is fine. If we were to do it, it is now. Also, in a previous call, I thought there was a mention of a potential method that could somewhat alleviate the “breaking-ness”.
Is this issue taken care of by https://bitbucket.org/openid/connect/src/master/SIOP/draft-jones-self_issued_identifier.md ?
-
- changed status to open
-
- changed component to SIOP
-
- changed status to resolved
resolved by including DIDs as an option for
subject_syntax_type
in addition to sub_jwk - Log in to comment