[Openid-specs-ab] key publication text updated and rotation guidance added

Brian Campbell bcampbell at pingidentity.com
Fri Feb 22 22:01:43 UTC 2013


In working to resolve 703, 704 and 740 [1] over the last two days I've
added the PKIX JWK key type (as well as an example) for X.509 certificates
and consolidated the x509_uri, x509_encryption_uri, and jwk_encryption_uri
parameters into a single combined jwk_uri parameter.  I've also provided
suggested guidance about how to do key rotation of asymmetric keys for both
signing and encryption using jwk_uri.

I believe this is now a more consistent model that meets the full desired
feature set. It might even be a simplification overall (it's no more
complicated anyway). But I'm sure it could benefit from a review from some
of the distinguished members of this list.  The specific change sets are
listed below[2] and I think Mike is going to push an update to the
openid.bitbucket.org HTML specs this afternoon, which will be a little more
readable. The real heart of the changes are contained in Section 4 of
Messages.


Thanks,
Brian


[1]
https://bitbucket.org/openid/connect/issue/703/key-publication-needs-to-be-reworked
https://bitbucket.org/openid/connect/issue/704/provide-key-rollover-guidance
https://bitbucket.org/openid/connect/issue/740/use-of-same-key-for-different-operations

[2]
https://bitbucket.org/openid/connect/commits/aa93484bd1270007c21a89713c716e43f494d9d3
https://bitbucket.org/openid/connect/commits/c34bad3e1197acb80a7289f2a5a7adfb84c65310
https://bitbucket.org/openid/connect/commits/5a02032842fbe08ad85a578c821cdc3469ff0302
https://bitbucket.org/openid/connect/commits/0cf12e189a3abb55032ccd61f61a197eaab6cd18
https://bitbucket.org/openid/connect/commits/164747e934d9dd03cf87f8c9421bcead544d5ca2

[3]
http://openid.bitbucket.org/openid-connect-messages-1_0.html#sigenc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130222/fab391ee/attachment.html>


More information about the Openid-specs-ab mailing list