Bilal, I guess my first question is, "What problem are you trying to solve here?"
The current "https" client ID will yield an X.509 certificate that (assuming you are following the best practices) matches the hostname in the URL and is trusted in some way (signed by an approved CA and/or pinned). Adding a signature to the metadata might protect against "insider" attacks but adds a lot of complexity - either you use the same (short-lived) X.509 cert you are using for the web server and regenerate the metadata document regularly or you somehow get a separate certificate that is signed by a trusted CA, presumably with a longer lifespan. One of the things I like best about the current (unsigned) metadata documents is their simplicity and scalability... > On Apr 15, 2026, at 6:40 AM, Bilal Ashraf <[email protected]> wrote: > > Hi, > > I have shared my thoughts in this article regarding adding of PKI based trust > in OAuth Client ID Metadata Documents. > > https://medium.com/@bilal.ashraf_69490/oauth-cimd-pki-trust-extension-c5b41eab12a9 > > Like to get your thoughts on this. > > Regards, > Bilal. > > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] ________________________ Michael Sweet _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
