[Openid-specs-ab] Issue #1007: Registration: Client jwks / jwks_uri must not contain private key material (openid/connect)

Nat Sakimura sakimura at gmail.com
Fri Dec 30 16:19:53 UTC 2016


Hmmm. Yeah, while obvious...

On Wed, Dec 28, 2016, 16:44 Vladimir Dzhuvinov via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> New issue 1007: Registration: Client jwks / jwks_uri must not contain
> private key material
>
> https://bitbucket.org/openid/connect/issues/1007/registration-client-jwks-jwks_uri-must-not
>
> Vladimir Dzhuvinov:
>
> The client registration spec should state explicitly that the client JWK
> set must not contain any private or secret keys. The OP must also reject
> such registration requests, to make the client developers aware of the
> leakage.
>
> This can be stated in section 2 Client Metadata and in section 9 Security
> Considerations.
>
> Proposed text:
>
> > **2. Client Metadata**
> >
> > ...
> >
> > **jwks_uri** ... The JWK Set MUST contain public keys only.
>
> ...
>
> > **9.2 Private and Secret Key Leakage**
> >
> > The Client's JSON Web Key Set [JWK] document, as specified by the
> jwks_uri and jwks Client Metadata values, MUST be validated by the Server
> to ensure no private or secret key material is present in it. If such
> validation of the JWK set fails the Server MUST reject the registration
> request with an appropriate error message to make the Relying Party aware
> of the key leakage.
>
> I became aware of this problem in the OP cert tests, where the test RP
> tried to register itself with private key material in the "jwks" /
> "jwks_uri" parameter.
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-- 

Nat Sakimura

Chairman of the Board, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20161230/6053e3c6/attachment.html>


More information about the Openid-specs-ab mailing list