Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify scope of Resolve Issuer #46

Open
JAG-UK opened this issue Nov 5, 2024 · 2 comments
Open

Clarify scope of Resolve Issuer #46

JAG-UK opened this issue Nov 5, 2024 · 2 comments
Assignees
@achamayou
Milestone
Draft 03

Comments

@JAG-UK
Copy link
Contributor

JAG-UK commented Nov 5, 2024

The intent statement currently says:

This endpoint is used to discover verification keys, which is the reason that authentication is not required.

In use cases where this endpoint is useful, it's often the case that you want more metadata/supporting evidence than purely keys.

A suggestion from the field: return supporting evidence enabling the client to verify the issuer signature at the time of registration
@JAG-UK
Copy link
Contributor Author

JAG-UK commented Nov 5, 2024

Additionally there's a naïve notion that this information should be returned with no auth.
This is great from a global verifiability point of view but it needs a balancing statement that allows/encourages auth for things that might contain PII, for example.

@achamayou
Copy link
Contributor

+1 for removing the authentication restriction, while some transparency services like CT are scoped to the internet at large, others may be scoped to a group or an organisation.

In use cases where this endpoint is useful, it's often the case that you want more metadata/supporting evidence than purely keys.

Can you elaborate on this? Although I see the case for additional key-related metadata (e.g. validity ranges in the ledger, cross-endorsement), I am curious about other metadata and to what extent it's worth bundling together/splitting.

@achamayou achamayou mentioned this issue Nov 28, 2024
Closed
@SteveLasker SteveLasker mentioned this issue Dec 3, 2024
Open
achamayou added a commit to achamayou/draft-ietf-scitt-scrapi that referenced this issue Dec 4, 2024
@achamayou
Make authentication stance consistent in the document
cb44b99 
Proposed resolution for ietf-wg-scitt#14 and ietf-wg-scitt#46, as discussed with @SteveLasker, @OR13 and @henkbirkholz.
@achamayou achamayou mentioned this issue Dec 4, 2024
Merged
SteveLasker added a commit that referenced this issue Dec 20, 2024
@achamayou @SteveLasker
Make authentication stance consistent in the document (#52)
e1ece4c 
* Make authentication stance consistent in the document

Proposed resolution for #14 and #46, as discussed with @SteveLasker, @OR13 and @henkbirkholz.

* Update draft-ietf-scitt-scrapi.md

---------

Co-authored-by: Steve Lasker <[email protected]>
@SteveLasker SteveLasker added this to the Draft 03 milestone Jan 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@achamayou achamayou

Labels
None yet
Projects
None yet
Milestone
Draft 03
Development

No branches or pull requests
3 participants
@achamayou @SteveLasker @JAG-UK