https://notes.karlmcguinness.com/tags/dns/Recent content in DNS on Control Plane by Karl McGuinnessHugoen-uspublic@karlmcguinness.com (Karl McGuinness)public@karlmcguinness.com (Karl McGuinness)Wed, 03 Jun 2026 14:00:00 -0700https://notes.karlmcguinness.com/notes/trusting-issuers-in-open-world-oauth/Wed, 03 Jun 2026 14:00:00 -0700public@karlmcguinness.com (Karl McGuinness)https://notes.karlmcguinness.com/notes/trusting-issuers-in-open-world-oauth/Self-service agent sign-up surfaces a first-contact trust problem. A Resource Authorization Server can verify a JWT and still not know whether the issuer is allowed to assert identities for the subject’s domain. Federation proves issuer authenticity, not namespace authority. Static allowlists do not scale to runtime onboarding. The Identity Assertion Trust Framework lets a Resource AS publish the evidence it requires, while Domain-Authorized Issuer Discovery lets a domain owner publish which issuers may assert identities in its namespace. Together they compose with ID-JAG and JWT-bearer grants without changing the grant surface.