New response mode direct_post.jwt

Comments (9)

1. 

   Kristina Yasuda

   • changed status to open

   PR #399

   also added JARM examples

   • 2023-01-07T01:59:43+00:00
2. 

   Torsten Lodderstedt

   What is the purpose of combining direct post with JARM?

   • 2023-01-09T12:10:13+00:00
3. 

   Daniel Fett reporter

   What is the reason to use JARM in other use cases? (I can guess the answer, but this should probably be spelled out in the text.)

   With direct_post, maybe there are use cases where you would want to use encryption to ensure that only a specific receiver can decrypt the response or where a regulation required application-level encryption for some reason.

   All I’m saying is that if implementer’s may combine JARM with direct_post, this needs to be defined. Otherwise it should be mentioned as not supported.

   • 2023-01-09T12:26:20+00:00
4. 

   Kristina Yasuda

   I think we should not exclude an option to use JARM with response_mode direct_post. Because some implementers in ISO mDL ecosystem have expressed interest in supporting application level E2E encryption using JARM on top of TLS. It would be limiting having that option only with redirects and not direct_post.

   • 2023-01-09T18:50:12+00:00
5. 

   gffletch

   Any suggestions on how developers find all the different defined response modes and what specs they are defined in?

   • 2023-01-11T15:36:06+00:00
6. 

   Kristina Yasuda

   everything except direct_post.jwt is in JARM spec, which is final, only direct_post.jwt is is openid4vp because that is the only place you will need it.

   • 2023-01-11T17:32:03+00:00
7. 

   Torsten Lodderstedt

   I think we should not exclude an option to use JARM with response_mode direct_post. Because some implementers in ISO mDL ecosystem have expressed interest in supporting application level E2E encryption using JARM on top of TLS. It would be limiting having that option only with redirects and not direct_post.

   I understand use of JARM in case of front channel requests, I’m less convinced of JARM in backend, HTTPS protected requests.

   If I got your argument right, we would perhaps also need to introduce application level encryption for the token response as well. Is that intended?

   • 2023-01-12T13:26:54+00:00
8. 

   Torsten Lodderstedt

   What is the reason to use JARM in other use cases?

   Good question. From the JARM spec: “… it adds support for signing and encryption, sender authentication, audience restriction as well as protection from replay, credential leakage, and mix-up attacks.”

   That makes sense for front channel requests because they lack those measures (between verifier and wallet).

   direct post is different, as it has most of it at the TLS/HTTPS layer. Sender authentication is the missing piece. I’m not sure JARM is the only/best option for it in the context of direct post.

   ‌

   • 2023-01-12T13:36:08+00:00
9. 

   Kristina Yasuda

   • changed status to resolved

   PR merged

   • 2023-02-02T03:47:35+00:00
10. Log in to comment