[Openid-specs-ab] JWK & X.509

Roland Hedberg roland.hedberg at adm.umu.se
Sat Dec 29 08:33:51 UTC 2012

27 dec 2012 kl. 21:00 skrev Brian Campbell <bcampbell at pingidentity.com>:

> I'm trying to work though the practical implications of JWK & X.509 support as a Connect OP for signatures.
> It seems likely that 1) an OP will want to publish keys in both formats to "play nice" with a variety of clients that may only be able to handle one format or the other and 2) an OP will want to publish multiple keys to support different algorithms and facilitate key rollover.
> Connect Messages §4.2 [1] says that "if keys are specified in both X.509 and JWK formats, they MUST be the same keys" and §4.3 [2]says that "if there are multiple keys in the referenced JWK document, the kid MUST be specified in the JWS header. If there are multiple certificates at the referenced certificate location, then x5t MUST be specified in the JWS header."
> Connecting the dots from my assumptions above and the requirements from Connect, it seems like it will be very common to have ID Tokens with both the kid and x5t JWS header parameters. Which makes sense on some level but I can't help the feeling that it's kind of inefficient, particularly with all the emphasis that's been put on keeping id tokens small(ish). 
> I don't have an alternative in mind but, in thinking about it, I guess I did want to ask a few questions:
> Are my assumptions valid?

Absolutely !

> If so, is the end result really what Connect intended?

That, I don't know. But your conclusions seems reasonable.

-- Roland
Roland Hedberg
IT Architect/Senior Researcher
ICT Services and System Development (ITS) 
Umeå University 
SE-901 87 Umeå, Sweden	
Phone +46 90 786 68 44
Mobile +46 70 696 68 44 

More information about the Openid-specs-ab mailing list