[Openid-specs-ab] X509 as MTI?

Justin Richer jricher at mitre.org
Thu Feb 21 16:06:27 UTC 2013


A small clarification:

There's a distinction between *generating* the keys and *using* the 
keys, and the tooling support for both. What we've been doing is using 
openssl or other well-established tools to create a throwaway 
self-signed cert, extract the keys out of those, and then publish them 
as JWK for the rest of the components to use from that point onward. If 
there were a good script or tool to generate keys already serialized as 
JWK (including the JWK-for-private-keys extension), then we'd love to 
just do that from end to end. But it's definitely not been worth having 
the complexity of securely generating the keys get pushed down to all 
the rest of the system.

  -- Justin


On 02/21/2013 10:45 AM, Richer, Justin P. wrote:
> I've just submitted issue #784 questioning whether we want to have X509 as the MTI key publication type, as opposed to JWK. I really think it should be JWK, especially after having had to implement and support both. In my (admittedly limited, but still real) experience, the JWK wins hands down on both Client and Server side. Here's my text from the issue:
>
> At the last face-to-face, the group decided that for Dynamic servers, the X509 format (as opposed to JWK format) should be mandatory to implement for publishing keys. The argument given at the time was that there were existing toolchains for producing and consuming X509 formatted certificates, especially in enterprise environments.
>
> However, having implemented both for an enterprise environment with a traditionally enterprise-focused language (Java), my experience dictates otherwise.
>
> The biggest problem is that the OIDC world doesn't care about certificate chains, it cares about bare keys. If your server is configured with just a bare key (which is all it needs), the tooling for dynamically generating a self-signed X509 certificate out of an existing bare key is *not* there.
>
> I propose that we move JWK (with bare keys) to MTI and have X509 (whether as separate certs or as members of a JWK, see other issues for that) no longer as MTI.
>
>   -- Justin
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>



More information about the Openid-specs-ab mailing list