Weaken JARM Encryption Requirements for ADRs

[benkolera]

Description

Currently, encryption of JARM responses is optional for Data Holders but mandatory for ADRs, as ADRs are forced to support JARM encryption due to the following part of the CDS:

If the Data Holder supports authorisation response encryption and the authorization_encrypted_response_alg is
omitted from the registration request, the Data Holder MAY require response encryption by returning a client 
registration response with the chosen “authorization_encrypted_response_alg” value.

This requirement seems to be an historical compromise of the specification due to some prior ambiguity of the JARM registration and discovery document specifications and that some Data Holders had already implemented JARM with forced JWE prior to the clarifying standards changes.

Intention and Value of Change

I believe that this places an undue burden on the recipients supporting a complicated and not widely supported spec (JWE) for what might be an extreme edge case that may or may not be required in 2024. This places additional implementation and testing burdens on ADRs to support and validate these features. Features of which are not currently verified by the CTS.

Removing this ADR requirement would remove a barrier to entry for new ADRs and ongoing maintenance of implementations, so it feels important and valuable to question whether this compromise is still in the best interests of the ecosystem.

Area Affected

Infosec profile, which impacts DCR and Authorization Redirects in particular.

Change Proposed

Removing this abovementioned requirement and making JARM encryption truly optional for both ADRs and DH.

[CDR-API-Stream]

This issue was discussed in the Maintenance Iteration Call on 24 July. A participant offered to compile information on Data Holders who require encryption on JARM responses for discussion in a later meeting.