openid / igov / issues / #42 - Clarify public signing key requirements for IdPs as NPE certificates — Bitbucket

Issue #42 resolved

Tom Clancy created an issue 2023-06-30

[2.3] The IdP’s public signing keys MUST be made available in the form of NPE certificates issued to the IdP.

Currently, the requirement reads: “[2.3] The public key of the issuing server is published in JSON Web Key (JWK) format.”

https://www.mitre.org/sites/default/files/2021-11/pr-19-3213-enterprise-tailored-oauth-profile.pdf

Comments (2)

Tom Clancy reporter

RESOLVED in PR #18 and PR#20/24 by streamlining key usage in JWK/JWK Sets, and recommending the use of NPE PKIs, when available, for implementation of RFC 8705 for alicent AuthN or sender-constraining tokens:

A non-person entity PKI SHOULD be used rather than a self-signed TLS client certificate if available.
                        The PKI method provides security value by
                        allowing the authorization server to rely upon externally validated client entity
                        identifiers and attributes, and simplifies lifecycle management, including key rotation.

2024-06-17T20:09:14+00:00

Tom Clancy reporter
- changed status to resolved
RESOLVED in PR #18 and PR#20/24 by streamlining key usage in JWK/JWK Sets, and recommending the use of NPE PKIs, when available, for implementation of RFC 8705 for client AuthN or sender-constraining tokens
- 2024-06-17T20:10:09+00:00
Log in to comment

Assignee: Tom Clancy

Type: enhancement

Priority: minor

Status: resolved

Votes: 0

Watchers: 1

Jira: the preferred issue tracker for Bitbucket. Join the team!