[Openid-specs-ab] key publication text updated and rotation guidance added

Mike Jones Michael.Jones at microsoft.com
Fri Feb 22 22:31:24 UTC 2013

I've pushed HTML versions of these changes to openid.bitbucket.org<http://openid.bitbucket.org>.  The main place to review are Messages 4.2<http://openid.bitbucket.org/openid-connect-messages-1_0.html#sigenc.key> (Keys), 4.3 (Signing), and 4.4 (Encryption), including the key rotation sections in 4.3.1 and 4.4.1.  You could also review the "jwk_url" text in Discovery<http://openid.bitbucket.org/openid-connect-discovery-1_0.html#ProviderConfigurationResponse> and Registration<http://openid.bitbucket.org/openid-connect-registration-1_0.html#client-metadata>.

                                                                -- Mike

From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Brian Campbell
Sent: Friday, February 22, 2013 2:02 PM
To: <openid-specs-ab at lists.openid.net>
Subject: [Openid-specs-ab] key publication text updated and rotation guidance added

In working to resolve 703, 704 and 740 [1] over the last two days I've added the PKIX JWK key type (as well as an example) for X.509 certificates and consolidated the x509_uri, x509_encryption_uri, and jwk_encryption_uri parameters into a single combined jwk_uri parameter.  I've also provided suggested guidance about how to do key rotation of asymmetric keys for both signing and encryption using jwk_uri.

I believe this is now a more consistent model that meets the full desired feature set. It might even be a simplification overall (it's no more complicated anyway). But I'm sure it could benefit from a review from some of the distinguished members of this list.  The specific change sets are listed below[2] and I think Mike is going to push an update to the openid.bitbucket.org<http://openid.bitbucket.org> HTML specs this afternoon, which will be a little more readable. The real heart of the changes are contained in Section 4 of Messages.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130222/65e0cc5b/attachment-0001.html>

More information about the Openid-specs-ab mailing list