[Openid-specs-ab] key publication text updated and rotation guidance added

Mike Jones Michael.Jones at microsoft.com
Fri Feb 22 22:31:24 UTC 2013


I've pushed HTML versions of these changes to openid.bitbucket.org<http://openid.bitbucket.org>.  The main place to review are Messages 4.2<http://openid.bitbucket.org/openid-connect-messages-1_0.html#sigenc.key> (Keys), 4.3 (Signing), and 4.4 (Encryption), including the key rotation sections in 4.3.1 and 4.4.1.  You could also review the "jwk_url" text in Discovery<http://openid.bitbucket.org/openid-connect-discovery-1_0.html#ProviderConfigurationResponse> and Registration<http://openid.bitbucket.org/openid-connect-registration-1_0.html#client-metadata>.

                                                                -- Mike

From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Brian Campbell
Sent: Friday, February 22, 2013 2:02 PM
To: <openid-specs-ab at lists.openid.net>
Subject: [Openid-specs-ab] key publication text updated and rotation guidance added

In working to resolve 703, 704 and 740 [1] over the last two days I've added the PKIX JWK key type (as well as an example) for X.509 certificates and consolidated the x509_uri, x509_encryption_uri, and jwk_encryption_uri parameters into a single combined jwk_uri parameter.  I've also provided suggested guidance about how to do key rotation of asymmetric keys for both signing and encryption using jwk_uri.

I believe this is now a more consistent model that meets the full desired feature set. It might even be a simplification overall (it's no more complicated anyway). But I'm sure it could benefit from a review from some of the distinguished members of this list.  The specific change sets are listed below[2] and I think Mike is going to push an update to the openid.bitbucket.org<http://openid.bitbucket.org> HTML specs this afternoon, which will be a little more readable. The real heart of the changes are contained in Section 4 of Messages.

Thanks,
Brian


[1]
https://bitbucket.org/openid/connect/issue/703/key-publication-needs-to-be-reworked
https://bitbucket.org/openid/connect/issue/704/provide-key-rollover-guidance
https://bitbucket.org/openid/connect/issue/740/use-of-same-key-for-different-operations

[2]
https://bitbucket.org/openid/connect/commits/aa93484bd1270007c21a89713c716e43f494d9d3
https://bitbucket.org/openid/connect/commits/c34bad3e1197acb80a7289f2a5a7adfb84c65310
https://bitbucket.org/openid/connect/commits/5a02032842fbe08ad85a578c821cdc3469ff0302
https://bitbucket.org/openid/connect/commits/0cf12e189a3abb55032ccd61f61a197eaab6cd18
https://bitbucket.org/openid/connect/commits/164747e934d9dd03cf87f8c9421bcead544d5ca2

[3]
http://openid.bitbucket.org/openid-connect-messages-1_0.html#sigenc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130222/65e0cc5b/attachment-0001.html>


More information about the Openid-specs-ab mailing list