Feature Request: Independently verifiable JWT token (ie JWKS)

[dwelch2344]

Summary

Provide a mechanism for Users to generate a credential that can be independently
verified in order to facilitate community-driven solutions and/or pilot programs
like ref-archive.

Long term this would be accomplished via a more sophisticated approach
(IdP/OAuth/SAML/etc.), but a well-known and easy-to-implement pattern exists
whereby a JWT token can
be generated with a Private Key (JWKS) and then automatically validated by third parties without requiring any sort of
authentication (ie validated against https://cveawg.mitre.org/api/.well-known/jwks.json).

It is important to note that these tokens are not authentication tokens for
CVE Services, but could be used to provide proof of identity / association with
a CNA / etc.

Motivation

The initial motivation for this comes back to the infamous CVE Defunded scare
from ~April 2025, where having a baked-in means for proofs could help with
backup & DR / alternative solutions / etc.

An immediate pilot could be
CVEProject/cve-ref-archival#11 (though there’s a lot
to debate about that; but it’d still be useful).

Describe alternatives you've considered

OAuth/SAML providers. Happy to donate a Keycloak instance :) but something tells
me that’d take a while.

Impact

This feature would require minimal effort to implement, and open the door to more sophisticated solutions that could handle this later. In particular, migrating the token generation + /.well-known/jwks.json to an eventual Authorization Server or equivalent would be minimal effort and provide backwards compatibility (if desired).

[dwelch2344]

Just realized: generating the certs for JWKS could be provided by the service and stored via Mongoose, requiring zero developer access. Probably would require consideration for how backups/etc are managed though