Make it clear that HTTPS is required for the jwks_uri and all stream management API endpoints, regardless of whether there is an alternative way of securing the communication. Add language saying the the Transmitter should also tie the 'aud' value to the auth from the Receiver.

FragLegs · FragLegs · commit 78eb6bb19917 · 2024-06-07T11:20:12.000-04:00
diff --git a/openid-sharedsignals-framework-1_0.md b/openid-sharedsignals-framework-1_0.md
@@ -563,31 +563,31 @@ jwks_uri
 > OPTIONAL. URL of the Transmitter's JSON Web Key Set {{RFC7517}} document.
   This contains the signing key(s) the Receiver uses to validate signatures from
   the Transmitter. This value MUST be specified if the Transmitter intends to
-  generate signed JWTs.
+  generate signed JWTs. If present, this URL MUST use HTTP over TLS {{RFC9110}}.
 
 delivery_methods_supported
 
 > RECOMMENDED. List of supported delivery method URIs.
 
 configuration_endpoint
 
-> OPTIONAL. The URL of the Configuration Endpoint.
+> OPTIONAL. The URL of the Configuration Endpoint. If present, this URL MUST use HTTP over TLS {{RFC9110}}.
 
 status_endpoint
 
-> OPTIONAL. The URL of the Status Endpoint.
+> OPTIONAL. The URL of the Status Endpoint. If present, this URL MUST use HTTP over TLS {{RFC9110}}.
 
 add_subject_endpoint
 
-> OPTIONAL. The URL of the Add Subject Endpoint.
+> OPTIONAL. The URL of the Add Subject Endpoint. If present, this URL MUST use HTTP over TLS {{RFC9110}}.
 
 remove_subject_endpoint
 
-> OPTIONAL. The URL of the Remove Subject Endpoint.
+> OPTIONAL. The URL of the Remove Subject Endpoint. If present, this URL MUST use HTTP over TLS {{RFC9110}}.
 
 verification_endpoint
 
-> OPTIONAL. The URL of the Verification Endpoint.
+> OPTIONAL. The URL of the Verification Endpoint. If present, this URL MUST use HTTP over TLS {{RFC9110}}.
 
 critical_subject_members
 
@@ -763,10 +763,11 @@ The API can also be used to query and update the Event Stream's configuration an
 add and remove Subjects, and trigger verification for those streams.
 
 Unless there exists some other method of establishing trust between a Transmitter and
-Receiver, all Stream Management API endpoints MUST use HTTP over TLS {{RFC9110}}
-and standard HTTP authentication and authorization schemes, as per {{RFC9110}}.
-This authorization MUST associate a Receiver with one or more stream IDs, such that only
-authorized Receivers are able to access or modify the details of the associated Event Streams.
+Receiver, all Stream Management API endpoints MUST use standard HTTP
+authentication and authorization schemes, as per {{RFC9110}}.
+This authorization MUST associate a Receiver with one or more stream IDs and "aud" values,
+such that only authorized Receivers are able to access or modify the details of the
+associated Event Streams.
 
 ~~~
 +------------+                +------------+
