- edited description
SIOP Issue 3 - Support for attesting keys from the past
Issue #1181
resolved
Currently as per the specification for SIOP today the sub field of the id token returned in a SIOP response requires it to be the JWK thumbprint of the sub_jwk value that must also be present in the response. This relationship therefore prevents cryptographic good practise by eliminating the ability to perform key rotation of the sub_jwk value without creating another sub value (hence a new identity to relying parties). This point is summarized in the presentation I did at SIOP meetup 2 in slides 8-to-12 of this presentation.
Essentially the suggested resolution (captured on slide 10) is that there needs to be a breaking change around this statement for SIOP that redefines this to allow for key rotation.
Comments (5)
-
reporter
-
Breaking change is fine. If we were to do it, it is now. Also, in a previous call, I thought there was a mention of a potential method that could somewhat alleviate the “breaking-ness”.
Is this issue taken care of by https://bitbucket.org/openid/connect/src/master/SIOP/draft-jones-self_issued_identifier.md ?
-
- changed status to open
-
- changed component to SIOP
-
- changed status to resolved
resolved by including DIDs as an option for
subject_syntax_typein addition to sub_jwk - Log in to comment
- Assignee
- –
- Type
- Priority
- Status
- resolved
- Component
- SIOP
- Milestone
- Ammendment
- Version
- –
- Votes
- 0
- Watchers
- 2
