rrix
commented
2 years ago I'm going to leave your Issue open for now because I think we're in agreement that more work needs to happen here. For the time being, we're relying on a voluntary trust basis within the early implementer group while exploring this further.
For the initial protocol implementations, we are planning to use JWTs for encapsulating only identity attributes within the protocol (see section 3.04 for discussion) but the requests themselves will sit outside the JWT encoding for the time being. We're in the early stages of evaluating a few different security profiles for example the OpenID "Financial-grade" API baseline profile which specifies semantics of token handout and management, but also specifies the use of MTLS for client authentication/validation.
Sooner or later there will be disputes about who exactly (impersonator?) requested what (Oh, that too?) and when (no, we have more time). The same applies to the response legs.
I suggest that all messages get a timestamp (e.g. a JSON top-level entry in UTC), and get digitally signed with something like JSON Web Tokens.