Hi OAuth folks, Thanks to everyone for the discussion on the adoption thread for this draft. This revision is mostly unchanged, except that we added a few notes about risks related to compromise of web servers that hold certificates that could be used to issue PIKAs.
--Richard ---------- Forwarded message --------- From: <internet-dra...@ietf.org> Date: Mon, Jul 8, 2024 at 6:32 PM Subject: New Version Notification for draft-barnes-oauth-pika-01.txt To: Richard L. Barnes <r...@ipv.sx>, Sharon Goldberg <gol...@bastionzero.com> A new version of Internet-Draft draft-barnes-oauth-pika-01.txt has been successfully submitted by Richard Barnes and posted to the IETF repository. Name: draft-barnes-oauth-pika Revision: 01 Title: Proof of Issuer Key Authority (PIKA) Date: 2024-07-08 Group: Individual Submission Pages: 11 URL: https://www.ietf.org/archive/id/draft-barnes-oauth-pika-01.txt Status: https://datatracker.ietf.org/doc/draft-barnes-oauth-pika/ HTML: https://www.ietf.org/archive/id/draft-barnes-oauth-pika-01.html HTMLized: https://datatracker.ietf.org/doc/html/draft-barnes-oauth-pika Diff: https://author-tools.ietf.org/iddiff?url2=draft-barnes-oauth-pika-01 Abstract: A relying party verifying a JSON Web Token (JWT) needs to verify that the public key used to verify the signature legitimately represents the issuer represented in the "iss" claim of the JWT. Today, relying parties commonly use the "iss" claim to fetch a set of authorized signing keys over HTTPS, relying on the security of HTTPS to establish the authority of the downloaded keys for that issuer. The ephemerality of this proof of authority makes it unsuitable for use cases where a JWT might need to be verified for some time. In this document, we define a format for Proofs of Issuer Key Authority, which establish the authority of a key using a signed object instead of an HTTPS connection. The IETF Secretariat
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
