Excited to share a new IETF internet draft that @bifurcation and I just submitted to the OAuth working group.

We introduce PIKA: Proof of Issue Key Authority, to solve a problem relevant to #openpubkey, #oidc and JWTs in general.

What's a PIKA and why do I care?

OpenPubkey uses PK Tokens to allow an OpenID Provider (OP) to bind user identities to user-held public keys. This essentially allows the OP to act like a certificate authority, without any changes to today's OIDC.

PK Tokens are signed by the OP's signing keys. But, OP's rotate their signing keys over time. What happens if we need to use a PK Token *after* the OP rotates signing key?

This is where the PIKA comes in.

In this draft, we introduce the PIKA and show how it can be combined with a timestamping authority to allow PK Tokens to be used even after the OP rotates it signing key. The PIKA is a secure object that allows you to cache the OP's key, and verify using the OP's key even if the OP is offline.

And that's why I got interested in this work.

But our solution is much more generic and widely applicable than to just OpenPubkey. PIKAs allow the verification of JWTs, ID Tokens and other OIDC Tokens without querying the OP directly. You can use them to reduce the load on a OP, or to build applications that require caching or historical information about OP keys. Historical information about signing key is a particularly important in #softwaresupplychain usecases.

We're still digesting all the different ways that PIKAs can be used. Feel free to get in touch if you have any feedback!

https://www.ietf.org/archive/id/draft-barnes-oauth-pika-00.html