[Openid-specs-ab] X509 as MTI?

Roland Hedberg roland.hedberg at adm.umu.se
Sun Feb 24 16:38:33 UTC 2013

21 feb 2013 kl. 16:45 skrev "Richer, Justin P." <jricher at mitre.org>:

> I've just submitted issue #784 questioning whether we want to have X509 as the MTI key publication type, as opposed to JWK. I really think it should be JWK, especially after having had to implement and support both. In my (admittedly limited, but still real) experience, the JWK wins hands down on both Client and Server side. Here's my text from the issue:
> At the last face-to-face, the group decided that for Dynamic servers, the X509 format (as opposed to JWK format) should be mandatory to implement for publishing keys. The argument given at the time was that there were existing toolchains for producing and consuming X509 formatted certificates, especially in enterprise environments. 
> However, having implemented both for an enterprise environment with a traditionally enterprise-focused language (Java), my experience dictates otherwise. 
> The biggest problem is that the OIDC world doesn't care about certificate chains, it cares about bare keys. If your server is configured with just a bare key (which is all it needs), the tooling for dynamically generating a self-signed X509 certificate out of an existing bare key is *not* there. 
> I propose that we move JWK (with bare keys) to MTI and have X509 (whether as separate certs or as members of a JWK, see other issues for that) no longer as MTI.


-- Roland
Roland Hedberg
IT Architect/Senior Researcher
ICT Services and System Development (ITS) 
Umeå University 
SE-901 87 Umeå, Sweden	
Phone +46 90 786 68 44
Mobile +46 70 696 68 44 

More information about the Openid-specs-ab mailing list