[Openid-specs-ab] Issue #1174: Federation: 9.2.2.2.1. The OP Constructing the Response - Clarify which keys need to be preserved to facilitate roll-over (openid/connect)

Vladimir Dzhuvinov issues-reply at bitbucket.org
Mon Jun 8 06:48:40 UTC 2020


New issue 1174: Federation: 9.2.2.2.1. The OP Constructing the Response - Clarify which keys need to be preserved to facilitate roll-over
https://bitbucket.org/openid/connect/issues/1174/federation-92221-the-op-constructing-the

Vladimir Dzhuvinov:

In [https://openid.net/specs/openid-connect-federation-1\_0.html#rfc.section.9.2.2.2.1](https://openid.net/specs/openid-connect-federation-1_0.html#rfc.section.9.2.2.2.1)

> At this point, if there already exists a client registration under the same entity identifier then that registration MUST be regarded as invalid. **Note that key material from the previous registration MUST be kept to make key rollover possible.**

Is this the entity JWK set or the JWK set referenced by the client metadata \( `jwks_uri` or `jwks`\)?

1. If it’s the entity statement JWK set we don’t quite understand why these will need to be kept after an update.
2. As for the jwks\_uri / jwks, the roll-over is managed by the RP / client, by simply keeping the old keys in the set, until no longer used.

If some roll-over needs to happen re 1 \(entity statement JWK set\) then this could also be managed by the client, thus making the requirement for the OP redundant.




More information about the Openid-specs-ab mailing list