[Openid-specs-ab] X509 as MTI?

Richer, Justin P. jricher at mitre.org
Thu Feb 21 15:45:05 UTC 2013

I've just submitted issue #784 questioning whether we want to have X509 as the MTI key publication type, as opposed to JWK. I really think it should be JWK, especially after having had to implement and support both. In my (admittedly limited, but still real) experience, the JWK wins hands down on both Client and Server side. Here's my text from the issue:

At the last face-to-face, the group decided that for Dynamic servers, the X509 format (as opposed to JWK format) should be mandatory to implement for publishing keys. The argument given at the time was that there were existing toolchains for producing and consuming X509 formatted certificates, especially in enterprise environments. 

However, having implemented both for an enterprise environment with a traditionally enterprise-focused language (Java), my experience dictates otherwise. 

The biggest problem is that the OIDC world doesn't care about certificate chains, it cares about bare keys. If your server is configured with just a bare key (which is all it needs), the tooling for dynamically generating a self-signed X509 certificate out of an existing bare key is *not* there. 

I propose that we move JWK (with bare keys) to MTI and have X509 (whether as separate certs or as members of a JWK, see other issues for that) no longer as MTI.

 -- Justin

More information about the Openid-specs-ab mailing list