[Openid-specs-ab] [openid/connect] Messages: X509 as MTI? (issue #784)

Justin Richer issues-reply at bitbucket.org
Thu Feb 21 15:42:25 UTC 2013

--- you can reply above this line ---

New issue 784: Messages: X509 as MTI?

Justin Richer:

At the last face-to-face, the group decided that for Dynamic servers, the X509 format (as opposed to JWK format) should be mandatory to implement for publishing keys. The argument given at the time was that there were existing toolchains for producing and consuming X509 formatted certificates, especially in enterprise environments. 

However, having implemented both for an enterprise environment with a traditionally enterprise-focused language (Java), my experience dictates otherwise. 

The biggest problem is that the OIDC world doesn't care about certificate chains, it cares about bare keys. If your server is configured with just a bare key (which is all it needs), the tooling for dynamically generating a self-signed X509 certificate out of an existing bare key is *not* there. 

I propose that we move JWK (with bare keys) to MTI and have X509 (whether as separate certs or as members of a JWK, see other issues for that) no longer as MTI.


This is an issue notification from bitbucket.org. You are receiving
this either because you are the owner of the issue, or you are
following the issue.

More information about the Openid-specs-ab mailing list