Thoughts on Protected Dynamic Client Registration.

This proposes a method of trust intended for software statements that can be Endorsed by trusted 3rd parties, and used by an authorization server that has little or no knowledge of the Developer.

This uses the General JWS JSON Serialization Syntax to exchange data and signatures between parties.

Payload

MUST contain at least one of kid, jku, jwk to allow identification of the Developer.

Signatures

Endorsement Signature(s)

MAY contain exp with a timestamp of the expiration time. MAY contain iss identifying the Endorser. Which endorsement bodies the authorization server chooses to trust and how it verifies these signatures is outside the scope of this document.

Developer Signature

The protected header MUST contain exp with a timestamp of the expiration time.

{
    "crit": ["exp"],
    "exp": 1363284000,
}

The authorization server MAY specify that this expiration cannot be too far in the future.

MUST contain ONE OF jwk or kid that must match or be used to identify the key in the payload used to create this signature.

MUST be the last entry in signature array.

Example usage