[Openid-specs-ab] jku and x5u

Mike Jones Michael.Jones at microsoft.com
Tue Apr 2 18:49:52 UTC 2013

There's different cases.  If it points to a certificate chain and you validate the certificate chain and decide to trust it, you can verify that the signature was made with the private key corresponding to the pub key contained in the cert.  This kind of trust rests on PKIX.

If the URL points to a site you trust such as example.com, you can choose to trust the keys based upon them being stored somewhere under https://example.com/.  This kind of trust falls back on trusting DNS and TLS.

Sometimes, however, all you're after from "trust" is knowing that this was the same entity as in a previous interaction, in which case bare keys without a trust chain will do fine.  This kind of trust may just require tracking that the same (or related) keys were used for successive interactions.

Others may have more to add, but that's a quick brain dump...

                                                                -- Mike

From: Tim Bray [mailto:tbray at textuality.com]
Sent: Tuesday, April 02, 2013 11:35 AM
To: Mike Jones
Cc: <openid-specs-ab at lists.openid.net>
Subject: Re: [Openid-specs-ab] jku and x5u

Sorry, I'm probably failing to understand because I'm a crypto moron, but if I want to use keys to validate a JWT allegedly from example.com<http://example.com>, I'm not going to believe anything in the JWT until I've checked using example.com<http://example.com>'s keys, so why should I believe the JWT's assertion about where to get the keys to validate it?  -T

On Tue, Apr 2, 2013 at 11:27 AM, Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>> wrote:
Yes, that's exactly it.  If you already know where the keys are or what they are (for instance, if you've established that information at registration time), there's no need to use these parameters.  But for some use cases, this is valuable information that can be dynamically provided.  (The Key ID ("kid") can also be dynamically provided, if appropriate to the use case.)

                                                                -- Mike

From: openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net> [mailto:openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net>] On Behalf Of Tim Bray
Sent: Tuesday, April 02, 2013 11:19 AM
To: <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>>
Subject: [Openid-specs-ab] jku and x5u

Almost certainly I'm just missing something obvious, but I'm having trouble understanding why the jku and x5u header claims exist.  The idea is I get a message and believe the message's assertion about where I should go to get the cert to validate the message?  -T

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130402/b1731c4b/attachment.html>

More information about the Openid-specs-ab mailing list