generated from martinthomson/internet-draft-template
-
Notifications
You must be signed in to change notification settings - Fork 4
Musings by Brian
Brian Campbell edited this page May 9, 2024
·
1 revision
a rough sketch of what I've kinda had in my head though for s2s is :
- assume the workload identity has been bootstrapped/provisioned with or somehow otherwise obtained an authority signed service-id-token and public/private key pair
- that service-id-token is a JWT that identifies the service/workload in the sub claim and uses the cnf/jwk from RFC7800 to bind it to the key pair
- when calling another service, the service-id-token is sent along with a service-id-token-pop, which is something conceptually similar to a DPoP proof JWT signed with the workload/service key
- that service-id-token-pop could contain a hash of a context token (something like a Txn-Token but not necessarily that) that binds the PoP to the transaction/context
I suspect Yaron would prefer some application of HTTP Message Signatures for 3) and 4) rather than a proof JWT. Which would certainly be an option to consider. But I just wanted to put my rough musings into words here.