SYSTEM Cited by 1 source

OpenPubkey

OpenPubkey is an open protocol (github.com/openpubkey/openpubkey, Linux Foundation announcement 2023) that adds public keys to OpenID Connect ID Tokens without requiring any change to the OIDC protocol or cooperation from the OpenID Provider (OP). The result — an ID Token that commits to the user's public key — is called a PK Token, which can serve as a cryptographic credential in protocols that need both identity and a public key (SSH, end-to-end-encrypted messaging, signed commits, etc.).

The problem it solves

OIDC ID Tokens include identity claims (email, sub, iss, aud) but not the user's public key. This means an ID Token by itself can prove "Google says I am Alice" but it cannot secure a protocol where the counterparty needs Alice's key — the ID Token doesn't bind to any key the counterparty can use for encryption or signature verification.

OpenPubkey bridges that gap: the same OP, speaking the same OIDC protocol, ends up effectively attesting "Google says Alice is using public key 0x123."

Why it's notable

• No changes to OIDC. OpenPubkey works with any OIDC-compliant OP. The OP doesn't have to know OpenPubkey exists; the PK Token construction happens on the client side (plus a standard OIDC signature from the OP).
• No new trusted third party. The trust anchor is the OP the user already trusts for SSO. No dedicated CA, no new service.
• Linux Foundation project since 2023; neutral governance.
• Composable. A PK Token is a general primitive; OPKSSH is the flagship application but not the only possible one.

Relationship to OPKSSH

systems/opkssh is the main application ingested so far: package the PK Token into an SSH certificate extension field and use it as an SSH public key. OpenPubkey shipped an experimental SSH integration from day one, but OPKSSH (Cloudflare-donated 2025-03-25) replaced it with a production-complete one. Other potential applications discussed in the ecosystem include E2E- encrypted messaging, signed Git commits, and general public-key- binding to human identities — this wiki only sources SSH at present.

What this wiki does not cover

The detailed PK Token construction (how OpenPubkey embeds the public key into the ID Token without breaking the OP's signature) is protocol-level cryptography that hasn't been fully expanded here yet — see the OpenPubkey repo for spec references. Related-protocol comparisons (vs. OpenID Connect DPoP, FIDO2, SSH CA-backed ephemeral certs via BLESS / Smallstep) are out of scope of the currently-ingested sources.

Seen in

• sources/2025-03-25-cloudflare-opkssh-open-sourcing — OpenPubkey as the underlying protocol OPKSSH applies to SSH; Linux Foundation lineage since 2023; donation context.

Related

• systems/opkssh — the SSH application.
• systems/openssh — the SSH implementation OPKSSH targets.
• concepts/pk-token — the primitive.
• concepts/sso-authentication — the upstream trust model.
• patterns/identity-to-key-binding — the core design move.