...
Item | Description | Issuer | Private Key Held By | CSR Generated by | Certificate Generated by | Action required by LFI | JWKS |
|---|---|---|---|---|---|---|---|
Sig1 | Used by the TPP to sign requests sent to the OFP (e.g. for signing the private-key-jwt, par request object etc) OFP will use the public key in the OFTF JWKS to verify the signature | OFTF | TPP | TPP | TPP | None | TPP’s JWKS identified by the Hosted in OFTF |
Sig2 | Used by the OFP to sign responses sent to the TPP This includes signed messages from the resource server and the signature on the id_token. The TPP will use the public key in the JWKS to verify the signature | OFTF | Ozone | Ozone | LFI | Yes | LFI’s JWKS identified by the Hosted in OFTF |
Sig3 | Used by the OFP to sign requests sent to the the LFI OFP will use the public key in the JWKS to verify the signature | OFTF | Ozone | Ozone | Ozone | None | LFI’s API Hub’s JWKS hosted in OFTF Only required if one of these conditions is true:
|
Sig4 | Used by the LFI to sign requests sent to OFP LFI will use the public key in the JWKS to verify the signature | OFTF | LFI | Ozone (to assist LFI) | LFI | Yes | LFI’s JWKS hosted in OFTF Only required if the LFI requires JWT Auth for Application Layer Authentication to CM and HH |
...
These steps are repeated for S1 S3 Sig2 Sig3 - where the private keys is held by the API Hub
...
These steps are repeated for Sig3 and C4-where the private keys is held by the API Hub
Ozoneto generate private keys for the certificatesOzoneto generate CSRsLFIOzoneto generate certificates on OFTF directory*Ozoneto provide JWKS URL and KID to the LFI
...