Added language requiring authorization of stream management API (#173)

FragLegs · web-flow · commit d2607b9b3df1 · 2024-06-10T10:26:57.000-07:00
* Added language requiring authorization of stream management API

* Remove sentence referring the reader to where authorization scheme can be defined

* Respond to PR feedback

* Update RFC references

* Make it clear that HTTPS is required for the jwks_uri and all stream management API endpoints, regardless of whether there is an alternative way of securing the communication. Add language saying the the Transmitter should also tie the 'aud' value to the auth from the Receiver.

* Add RFC9110 to references
diff --git a/openid-sharedsignals-framework-1_0.md b/openid-sharedsignals-framework-1_0.md
@@ -107,6 +107,7 @@ normative:
   RFC8615:
   RFC8935:
   RFC8936:
+  RFC9110:
   RFC9493:
   CAEP:
     author:
@@ -537,31 +538,31 @@ jwks_uri
 > OPTIONAL. URL of the Transmitter's JSON Web Key Set {{RFC7517}} document.
   This contains the signing key(s) the Receiver uses to validate signatures from
   the Transmitter. This value MUST be specified if the Transmitter intends to
-  generate signed JWTs.
+  generate signed JWTs. If present, this URL MUST use HTTP over TLS {{RFC9110}}.
 
 delivery_methods_supported
 
 > RECOMMENDED. List of supported delivery method URIs.
 
 configuration_endpoint
 
-> OPTIONAL. The URL of the Configuration Endpoint.
+> OPTIONAL. The URL of the Configuration Endpoint. If present, this URL MUST use HTTP over TLS {{RFC9110}}.
 
 status_endpoint
 
-> OPTIONAL. The URL of the Status Endpoint.
+> OPTIONAL. The URL of the Status Endpoint. If present, this URL MUST use HTTP over TLS {{RFC9110}}.
 
 add_subject_endpoint
 
-> OPTIONAL. The URL of the Add Subject Endpoint.
+> OPTIONAL. The URL of the Add Subject Endpoint. If present, this URL MUST use HTTP over TLS {{RFC9110}}.
 
 remove_subject_endpoint
 
-> OPTIONAL. The URL of the Remove Subject Endpoint.
+> OPTIONAL. The URL of the Remove Subject Endpoint. If present, this URL MUST use HTTP over TLS {{RFC9110}}.
 
 verification_endpoint
 
-> OPTIONAL. The URL of the Verification Endpoint.
+> OPTIONAL. The URL of the Verification Endpoint. If present, this URL MUST use HTTP over TLS {{RFC9110}}.
 
 critical_subject_members
 
@@ -737,6 +738,13 @@ which can be used by Event Receivers to create and delete one or more Event Stre
 The API can also be used to query and update the Event Stream's configuration and status,
 add and remove Subjects, and trigger verification for those streams.
 
+Unless there exists some other method of establishing trust between a Transmitter and
+Receiver, all Stream Management API endpoints MUST use standard HTTP
+authentication and authorization schemes, as per {{RFC9110}}.
+This authorization MUST associate a Receiver with one or more stream IDs and "aud" values,
+such that only authorized Receivers are able to access or modify the details of the
+associated Event Streams.
+
 ~~~
 +------------+                +------------+
 |            | Stream Config  |            |
