JWKS: Remove publicKeys in favor of RFC7515.

IETF-RFC.md

@@ -729,7 +729,8 @@ contain the following information about its OCM API:
   for a short-lived bearer token.
   _ `"http-sig"` - to indicate that this OCM Server supports
   [RFC9421] HTTP Message Signatures and advertises public keys in the
-  `publicKeys` array for signature verification.
+  format specified by [RFC7515] at the `/.well-known/jwks.json`
+  endpoint for signature verification.
   _ `"invites"` - to indicate the server would support acting as an
   Invite Sender or Invite Receiver OCM Server.  This might be useful
   for suggesting to a user that existing contacts might be upgraded
@@ -762,37 +763,8 @@ contain the following information about its OCM API:
   address \* `"invite"` - an invite MUST have been exchanged between the
   sender and the receiver before a Share Creation Notification can be
   sent
-* OPTIONAL: publicKey (object) - DEPRECATED: Use publicKeys array
-  instead for RFC 9421 support.
-  Legacy field for draft-cavage HTTP Signatures (RSA only).
-  Maintained for backward compatibility with existing deployments.
-  The signatory is optional, but if present, it MUST contain
-  two string fields, `keyId` and `publicKeyPem`.
-  properties:
-  - REQUIRED keyId (string) unique id of the key in URI format.  The
-    hostname set the origin of the request and MUST be
-    identical to the current discovery endpoint.
-    Example: https://cloud.example.org/ocm#signature
-  - REQUIRED publicKeyPem (string) - PEM-encoded RSA public key for
-    draft-cavage signatures.
-    Example:
-    "----BEGIN PUBLIC KEY----\n...\n----END PUBLIC KEY----\n"
-* OPTIONAL: publicKeys (array of objects) - Array of public keys for
-  [RFC9421] HTTP Message Signatures.
-  Servers advertising the "http-sig" capability MUST provide this
-  field. Clients SHOULD prefer [RFC9421] signatures when this capability
-  is present. Each object in the array MUST contain:
-  - REQUIRED keyId (string) - Unique identifier for this key in URI
-    format. Hostname MUST match the discovery endpoint hostname.
-    Example: https://cloud.example.org/ocm#key-1
-  - REQUIRED publicKeyPem (string) - PEM-encoded public key for
-    [RFC9421] signatures.
-    Example:
-    "----BEGIN PUBLIC KEY----\nMCowBQYDK...\n----END PUBLIC KEY----\n"
-  - REQUIRED algorithm (string) - Cryptographic algorithm identifier
-    from the IANA HTTP Signature Algorithms Registry as defined in
-    [RFC9421] Section 6.2.
-    Example: "ed25519"
+* DEPRECATED: publicKey (object) - Use public keys at
+  `/.well-known/jwks.json` instead for RFC 9421 support.
 * OPTIONAL: inviteAcceptDialog (string) - URL path of a web page where
   a user can accept an invite, when query parameters `"token"` and
   `"providerDomain"` are provided.  Implementations that offer the

spec.yaml

@@ -425,7 +425,8 @@ components:
           type: object
           deprecated: true
           description: >
-            DEPRECATED: Use publicKeys array instead for RFC 9421 support.
+            DEPRECATED: Use public keys from /.well-known/jwks.json
+            instead for RFC 9421 support.
             Legacy field for draft-cavage HTTP Signatures (RSA only).
             Maintained for backward compatibility with existing deployments.
             The signatory is optional but it MUST contain `keyId` and `publicKeyPem`.
@@ -444,40 +445,6 @@ components:
                 -----BEGIN PUBLIC KEY-----
                 MII...QDD
                 -----END PUBLIC KEY-----
-        publicKeys:
-          type: array
-          description: >
-            Array of public keys for RFC 9421 HTTP Message Signatures.
-            Servers advertising the "rfc-http-sig" capability MUST provide this field.
-            Clients SHOULD prefer RFC 9421 signatures when this capability is present.
-          items:
-            type: object
-            required:
-              - keyId
-              - publicKeyPem
-              - algorithm
-            properties:
-              keyId:
-                type: string
-                format: uri
-                description: >
-                  Unique identifier for this key in URI format.
-                  Hostname MUST match the discovery endpoint hostname.
-                example: https://cloud.example.org/ocm#key-1
-              publicKeyPem:
-                type: string
-                description: |
-                  PEM-encoded public key for RFC 9421 signatures.
-                example: |
-                  -----BEGIN PUBLIC KEY-----
-                  MCowBQYDK2VwAyEA...
-                  -----END PUBLIC KEY-----
-              algorithm:
-                type: string
-                description: >
-                  Cryptographic algorithm identifier from the IANA HTTP Signature
-                  Algorithms Registry as defined in RFC 9421 Section 6.2.
-                example: ed25519
         tokenEndPoint:
           type: string
           format: uri