OpenPubkey Reference Implementation

OpenPubkey adds user generated cryptographic signatures to OpenID Connect (OIDC) to enable users to sign messages or artifacts under their OpenID identity. Verifiers can check that these signatures are valid and associated with the signing OpenID identity. OpenPubkey does not add any new trusted parties beyond what is required for OpenID Connect and is fully compatible with existing OpenID Providers (Google, Azure/Microsoft, Okta, OneLogin, Keycloak) without any changes to the OpenID Provider.

This repo contains the current reference implementation of OpenPubkey. The reference implementation is a work in progress.

Remaining Work

Phase 1:

• Common OpenPubkey client struct constructor that supports:
  • Github OpenID Provider (OP) with CIC in aud claim
  • Azure OpenID Provider (OP)
  • Google OpenID Provider (OP)
• GQ Signature Support
  • GQ signer and verifier
  • GQ JWS Support
• Examples
  • Google OP x509 signing example
  • Github Actions signing example
• Cryptography review and remediation
• Opensource project must haves
  • Github actions to run unittest
  • Linter enforcement
  • Code of conduct
  • Security.md
  • Developer.md
  • PR template

Phase 2:

• Additional Signers (TBD)

How to use this library

To interact with OpenPubkey as a signer use the OpkClient struct.

Further reading

• OpenPubkey: Augmenting OpenID Connect with User held Signing Keys

• BastionZero’s OpenPubkey: A new approach to cryptographic signatures

• Reducing Trust in Automated Certificate Authorities via Proofs-of-Authentication

• Guillou and Quisquater, A “Paradoxical” Indentity-Based Signature Scheme Resulting from Zero-Knowledge, Crypto 1988

• OpenID Connect Core 1.0 incorporating errata set 1