<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0cm;
        margin-right:0cm;
        margin-bottom:0cm;
        margin-left:36.0pt;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
span.EmailStyle17
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:85807989;
        mso-list-type:hybrid;
        mso-list-template-ids:-1592370952 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
        {mso-level-text:"%1\)";
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l0:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l0:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l0:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l0:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l0:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l0:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l0:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l0:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
ol
        {margin-bottom:0cm;}
ul
        {margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Here are two use cases that would not work under the “</span>${issuer}/.well-known/openid-configuration<span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>” assumption.<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>1)<span style='font:7.0pt "Times New Roman"'>      </span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The issuer has no control over the top level domain’s files<br>e.g. you rented some hosting space at <a href="https://geocities.yahoo.co.jp/KafkaTamura">https://geocities.yahoo.co.jp/KafkaTamura</a> and this is the iss. Kafka can not change the top level openid-configuration only <a href="https://geocities.yahoo.co.jp/KafkaTamura/.well-known/openid-configuration">https://geocities.yahoo.co.jp/KafkaTamura<span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>/.well-known/openid-configuration</span></a></span> <span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>2)<span style='font:7.0pt "Times New Roman"'>      </span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>A self-issued OP on a phone<br>The issuer could dynamically register its keys or provide the public key with the first token. The consumer would then ensure that the key is the same in subsequent tokens.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> openid-specs-ab-bounces@lists.openid.net [mailto:openid-specs-ab-bounces@lists.openid.net] <b>On Behalf Of </b>Tim Bray<br><b>Sent:</b> Tuesday, April 02, 2013 11:55 PM<br><b>To:</b> Hannes Tschofenig<br><b>Cc:</b> <openid-specs-ab@lists.openid.net><br><b>Subject:</b> Re: [Openid-specs-ab] jku and x5u<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>From where I sit, the most obvious thing to do is look at the issuer claim, resolve ${issuer}/.well-known/openid-configuration, extract the jwk-url claim, fetch the jwk, and validate using that.  For the kind of consumer/internet stuff we do, wouldn't that nearly always be the right choice?<br><br>-T<o:p></o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>On Tue, Apr 2, 2013 at 11:48 AM, Hannes Tschofenig <<a href="mailto:hannes.tschofenig@gmx.net" target="_blank">hannes.tschofenig@gmx.net</a>> wrote:<o:p></o:p></p><p class=MsoNormal>Hi Tim,<br><br>There are three ways to shuffle keys around:<br><br>* per value: you include the key in the message<br>* per reference: you include a pointer to the key (e.g., a URL)<br>* out-of-band: here you just give the key a name without telling where to find it.<br><br>Needless to say that you have to be careful with all three mechanisms when it comes to security.<br><br>You are already thinking about a complete use case that goes beyond what these header parameters by itself are able to answer.<br><br>Ciao<br>Hannes<o:p></o:p></p><div><p class=MsoNormal><br><br><br>On 04/02/2013 09:35 PM, Tim Bray wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><p class=MsoNormal>Sorry, I’m probably failing to understand because I’m a crypto moron,<br>but if I want to use keys to validate a JWT allegedly from <a href="http://example.com" target="_blank">example.com</a><o:p></o:p></p></div><p class=MsoNormal><<a href="http://example.com" target="_blank">http://example.com</a>>, I’m not going to believe anything in the JWT until<br>I’ve checked using <a href="http://example.com" target="_blank">example.com</a> <<a href="http://example.com" target="_blank">http://example.com</a>>’s keys, so why<o:p></o:p></p><div><p class=MsoNormal><br>should I believe the JWT’s assertion about where to get the keys to<br>validate it?  -T<br><br><br>On Tue, Apr 2, 2013 at 11:27 AM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a><o:p></o:p></p></div><div><p class=MsoNormal><mailto:<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>>> wrote:<br><br>    Yes, that’s exactly it.  If you already know where the keys are or<br>    what they are (for instance, if you’ve established that information<br>    at registration time), there’s no need to use these parameters.  But<br>    for some use cases, this is valuable information that can be<br>    dynamically provided.  (The Key ID (“kid”) can also be dynamically<o:p></o:p></p></div><p class=MsoNormal>    provided, if appropriate to the use case.)____<br><br>    __ __<br><br>                                                                     --<br>    Mike____<br><br>    __ __<br><br>    *From:*<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a><br>    <mailto:<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a>><br>    [mailto:<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a><br>    <mailto:<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a>>] *On Behalf Of<br>    *Tim Bray<br>    *Sent:* Tuesday, April 02, 2013 11:19 AM<br>    *To:* <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br>    <mailto:<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>>><br>    *Subject:* [Openid-specs-ab] jku and x5u____<br><br>    __ __<o:p></o:p></p><div><p class=MsoNormal><br><br>    Almost certainly I’m just missing something obvious, but I’m having<br>    trouble understanding why the jku and x5u header claims exist.  The<br>    idea is I get a message and believe the message’s assertion about<o:p></o:p></p></div><p class=MsoNormal style='margin-bottom:12.0pt'>    where I should go to get the cert to validate the message?  -T____<br><br><br><br><br>_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p></blockquote><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>