[Openid-specs-ab] Issue #1007: Registration: Client jwks / jwks_uri must not contain private key material (openid/connect)
sakimura at gmail.com
Fri Dec 30 16:19:53 UTC 2016
Hmmm. Yeah, while obvious...
On Wed, Dec 28, 2016, 16:44 Vladimir Dzhuvinov via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:
> New issue 1007: Registration: Client jwks / jwks_uri must not contain
> private key material
> Vladimir Dzhuvinov:
> The client registration spec should state explicitly that the client JWK
> set must not contain any private or secret keys. The OP must also reject
> such registration requests, to make the client developers aware of the
> This can be stated in section 2 Client Metadata and in section 9 Security
> Proposed text:
> > **2. Client Metadata**
> > ...
> > **jwks_uri** ... The JWK Set MUST contain public keys only.
> > **9.2 Private and Secret Key Leakage**
> > The Client's JSON Web Key Set [JWK] document, as specified by the
> jwks_uri and jwks Client Metadata values, MUST be validated by the Server
> to ensure no private or secret key material is present in it. If such
> validation of the JWK set fails the Server MUST reject the registration
> request with an appropriate error message to make the Relying Party aware
> of the key leakage.
> I became aware of this problem in the OP cert tests, where the test RP
> tried to register itself with private key material in the "jwks" /
> "jwks_uri" parameter.
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
Chairman of the Board, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab