[Federation][Metadata] Redefinition of signed_jwks_uri
In 4.1. RP Metadata and 4.2 OP Metadata we have the definition of signed_jwks_uri, this say “The JWT is signed with a key that was included in the JWK that the entity published in its self-signed entity statement.“
I think that we could redefine this by indicating that the JWT should be signed by an entity with which trust has been established.
It can be signed by the same entity that publishes it, with the JWKs in its entity configuration or by a higher entity or by the Trust Anchor. This change wouldn’t affect the previous implementations, that will continue working as they are.
This aspect affects the registration models of the participants and what is asked to the participants to submit during the registration phase.
In some cases it is necessary that the keys cannot change without an approval of these at higher levels. This impacts the trust model.
this issue is related to the problem set out here and aims to solve it, in a different manner. One or more federation entity may adopt a registry of all the trustable public keys of their descendants and in case of litigation between the parties this would be a proof.
the text that would change in this way
”The JWT is signed with a key that is assumed to be trustable, this can be the JWK that the entity has published in its entity statement or the one published by the Trust Anchor or its Intermediaries.”
Comments (2)
-
reporter -
reporter - changed status to resolved
- Log in to comment
I consider this proposal impossible to realize because a leaf can be resolved at different Trust Anchor therefore the signature of the jwks must be selfsigned by the leaf and verifiable by trust chain, It is impossible to consider that the jwks signed by one Trust Anchor rather than another.
If we agreed I would consider this issue useless and to be closed