https://tools.ietf.org/html/rfc7515#section-4.1.2
I had planned to implement support for URL-based keys in my JCS specification to make it even more compatible with JOSE. However, I haven't done that yet, and now I'm beginning to actually questioning the value of this concept. If somebody could provide a compelling real-world use case I would be more than happy! In the meantime I have toyed with another scheme combining URLs and in-line (JWK) public key descriptors, coined "Authority Objects". The core features include: - Signed objects can always be verified for [technical] correctness including off-line - Arbitrary extensive issuer information and its associated keys are kept in a consolidated document (which in turn may have been signed by another "governing" party) - Intrinsic revocation support Actual example (if the server is up and running...): https://mobilepki.org/webpay-acquirer/ Concept specification: https://cyberphone.github.io/doc/defensive-publications/authority-objects.pdf Comments? Anders _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
