[Openid-specs-ab] Mandatory JWK Support for OpenID Connect
ve7jtb at ve7jtb.com
Fri Jul 27 17:18:29 UTC 2012
There are some use cases where the use of PKIX trust relationships may be required.
In the EU there may be reasons to publish a x.509 cert so that the signature on the id_token is qualified digital signature for non repudiation at higher LOA.
I don't think anyone wants to remove the x.509 option.
The question is if clients or servers MUST implement both, or if only one format needs to be mandatory for servers what should it be.
For simple clients JWK is arguably (I say that knowing Tony will argue) simpler to build as it doesn't need ASN1 parsing. For servers x.509 certificates have existing tools.
Our design principal to this point is for pushing complexity from clients to servers.
On 2012-07-27, at 8:06 AM, Magnus Andersson wrote:
> My name is Magnus I own a startup and I'm implementing OpenID Connect.
> As an implementor: if the JWK-format is mandatory, exactly what added value does optionally exposing x.509 certificates to the client give?
> As long as the JWK is mandatory I personally don't see how optional x.509 certificates would simplify anything for those who have existing Public-key infrastructure. They still have to handle the JWK case and map that to their PKI.
> I recognize I don't know all the history in this matter. But could the option to choose only JWK (as it is already deemed mandatory) and skip x.509 be added, to balance out the current options?
> BR Magnus Andersson
> Solvies AB
> 2012/7/27 John Bradley <ve7jtb at ve7jtb.com>
> Extracting a key from a certificate is not that hard, to make a JWK out of it.
> We can likely automate that. People who want to support x509 are free to do that it is just not mandatory for the client. For the basic client using the code flow there is no MTI, for the implicit flow JWK is MTI if you want general support. I suppose if a client just wants to talk to a specific IDP it could just do x509 if that is supported.
> The options are.
> 1 Client must support both and server chooses
> 2 Server must support both and client chooses
> 3 Server must support one and the other is optional.
> Tony are you saying you prefer 1 or 2, or 3 your preference but making x.509 the default.
> There are advantages and disadvantages to picking JWK as the default.
> It is true that most common tools like openSSL easily produce self signed certificates.
> On the other hand they expire and create run time issues later because some people may try and do PKIX processing on them.
> This is a continual debate in SAML over raw keys vs certificates. Many federations think raw keys cause less support issues over time.
> John B.
> On 2012-07-26, at 9:43 PM, Anthony Nadalin wrote:
>> This creates problems with folks that already have a PIK infrastructure and want to use existing keys
>> From: Edmund Jay [mailto:ejay at mgi1.com]
>> Sent: Thursday, July 26, 2012 3:11 PM
>> To: Anthony Nadalin; openid-specs-ab at lists.openid.net; openid-connect-interop at googlegroups.com
>> Subject: Re: [Openid-specs-ab] Mandatory JWK Support for OpenID Connect
>> This is in reference to the open issue # 633 at http://hg.openid.net/connect/issue/633/messages-42-jwk-and-x509-format-support
>> The specs currently support x509 and JWK format for publishing public keys but is silent on which must be supported.
>> There may be interop problems related to cryptographic aspects of OpenID due to lack of common support between client and server.
>> -- Edmund
>> From: Anthony Nadalin <tonynad at microsoft.com>
>> To: Edmund Jay <ejay at mgi1.com>; "openid-specs-ab at lists.openid.net" <openid-specs-ab at lists.openid.net>; "openid-connect-interop at googlegroups.com" <openid-connect-interop at googlegroups.com>
>> Sent: Thu, July 26, 2012 1:46:41 PM
>> Subject: RE: [Openid-specs-ab] Mandatory JWK Support for OpenID Connect
>> Can you provide the rationale or a pointer to the rationale?
>> From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Edmund Jay
>> Sent: Thursday, July 26, 2012 11:58 AM
>> To: openid-specs-ab at lists.openid.net; openid-connect-interop at googlegroups.com
>> Subject: [Openid-specs-ab] Mandatory JWK Support for OpenID Connect
>> This is to inform everyone that the Working Group has decided to make JWK support mandatory for both the client and server.
>> Feedbacks welcome.
>> -- Edmund
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab