This repository was archived by the owner on Dec 8, 2025. It is now read-only.
Sign, Encrypt, Mutual authentication #63
Description
In OIDC Core there a short section on signatures/encryption https://openid.net/specs/openid-connect-core-1_0.html#SigEnc
Should the responses, when shared by the CH or issued by the CI encrypted or is the transport encryption (HTTPS) good enough?
Should encryption be advocated more (e.g., a section about encryption)?
When exchanging information, is validating the TLS certificate enough, or should all requests/responses also be signed? (e.g., like authenticated key exchange)
For example: when DIDs are used, both sides should: validate the DID, check if the DID is not revoked, requests/responses should be signed using one of the DID keys.