[Openid-specs-ab] JWK & X.509

Brian Campbell bcampbell at pingidentity.com
Thu Dec 27 20:00:25 UTC 2012

I'm trying to work though the practical implications of JWK & X.509 support
as a Connect OP for signatures.

It seems likely that 1) an OP will want to publish keys in both formats to
"play nice" with a variety of clients that may only be able to handle one
format or the other and 2) an OP will want to publish multiple keys to
support different algorithms and facilitate key rollover.

Connect Messages §4.2 [1] says that "if keys are specified in both X.509
and JWK formats, they MUST be the same keys" and §4.3 [2]says that "if
there are multiple keys in the referenced JWK document, the kid MUST be
specified in the JWS header. If there are multiple certificates at the
referenced certificate location, then x5t MUST be specified in the JWS

Connecting the dots from my assumptions above and the requirements from
Connect, it seems like it will be very common to have ID Tokens with both
the kid and x5t JWS header parameters. Which makes sense on some level but
I can't help the feeling that it's kind of inefficient, particularly with
all the emphasis that's been put on keeping id tokens small(ish).

I don't have an alternative in mind but, in thinking about it, I guess I
did want to ask a few questions:

Are my assumptions valid?
If so, is the end result really what Connect intended?
Or am I confused or way off base here?

Thanks in advance for any insights, thoughts or corrections,

[1] http://openid.net/specs/openid-connect-messages-1_0-13.html#sigenc.key
[2] http://openid.net/specs/openid-connect-messages-1_0-13.html#sigs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20121227/6c0e1246/attachment.html>

More information about the Openid-specs-ab mailing list