[Openid-specs-ab] Forthcoming minor changes to JOSE specs pertinent to OpenID Connect

Mike Jones Michael.Jones at microsoft.com
Thu May 2 05:21:44 UTC 2013

I've updated Messages to contain the change from "kty": "PKIX" to having an optional "x5c" element in the key.  See http://openid.bitbucket.org/openid-connect-messages-1_0.html#x5cJWK.

                                                            -- Mike

From: openid-connect-interop at googlegroups.com [mailto:openid-connect-interop at googlegroups.com] On Behalf Of Mike Jones
Sent: Tuesday, April 30, 2013 10:49 PM
To: openid-specs-ab at lists.openid.net; openid-connect-interop at googlegroups.com
Subject: Forthcoming minor changes to JOSE specs pertinent to OpenID Connect

An interim JOSE working group meeting was held yesterday and today at Cisco in Denver.  The good news is that many issues were discussed and resolved in a productive manner.

I wanted to give you a heads-up that two minor changes will be made to the JOSE specs that do affect OpenID Connect.  One is that the syntax for the PKIX key type will be changed from having the x5c member be in an independent "kty":"PKIX" element to being a member within the "kty":"RSA" (or "kty":"EC" structure).  So the example at http://openid.net/specs/openid-connect-messages-1_0-17.html#PKIXKeyType would change to:


This only affects code that is using the PKIX key type.

The second change is that the contents of the Additional Associated Data (AAD) value in JWE will be simplified to only include the Encoded JWE Header value but not the Encoded JWE Encrypted Key.  This means that the value X computed in step 15 of http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-10#section-5.1 will be used directly as the AAD value, without computing Y (in step 16) and concatenating it to X (in step 17).

This change simplifies the encryption AAD calculation.

I will plan on incorporating these changes into the JOSE drafts as soon as possible.  Hopefully this will be the last breaking change to the encryption calculation.

                                                            Best wishes,
                                                            -- Mike

You received this message because you are subscribed to the Google Groups "OpenID Connect Interop" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openid-connect-interop+unsubscribe at googlegroups.com<mailto:openid-connect-interop+unsubscribe at googlegroups.com>.
For more options, visit https://groups.google.com/groups/opt_out.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130502/9b287dbe/attachment-0001.html>

More information about the Openid-specs-ab mailing list