<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Well, it all depends on if the server is storing it or just
generating it through some ephemeral process and passing it along.
Yes, the server is definitely in the position to store the whole JWK
(since it has access to it in this moment), but if it wanted to, it
could use this mechanism to issue a keypair and throw away the
private key. It's definitely an odd use but some might find
something good to do with it.<br>
<br>
-- Justin<br>
<br>
<div class="moz-cite-prefix">On 11/22/2013 08:41 AM, Nat Sakimura
wrote:<br>
</div>
<blockquote
cite="mid:CABzCy2AXfhEPn+=QcHHaiZw_gdCO2hBkszEAa+QxnS-ewJqRGQ@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div dir="ltr">The problem I see with this approach is that the
private key is no more private then.
<div>The server also knows the private key, so the
non-repudiation type of advantage is gone. </div>
<div>It seems it is more or less on par with the symmetric key
then. </div>
<div><br>
</div>
<div>What advantage do you see with it? </div>
<div><br>
</div>
<div>On the other hand, server generated random can be very
useful and Ryo Ito is writing an extension spec on it, which I
am helping. He's got the implementation live on mixi, which is
one of the largest social network in Japan. The reason he came
up with the idea is that the random/nonce etc. generated by
the client tends to be not really random undermining
everything that follows. Are you concerned with the key-pair
generated by the client follows the same kind of problem? </div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2013/11/21 Vladimir Dzhuvinov /
NimbusDS <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:vladimir@nimbusds.com" target="_blank">vladimir@nimbusds.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi guys,<br>
<br>
Ticket #903 that Nat posted calls for a new jwks parameter
to enable<br>
native clients to register their public keys directly with
the provider:<br>
<br>
<a moz-do-not-send="true"
href="https://bitbucket.org/openid/connect/issue/903/"
target="_blank">https://bitbucket.org/openid/connect/issue/903/</a><br>
<br>
What do you think of allowing this parameter to also be used
as simple<br>
mean to provision clients with keys generated by the
provider? Do you<br>
see any problems with that? I find this a very attractive
option for a<br>
use case that we face. Currently there's no standard OIDC
way to<br>
provision keys to clients when they register.<br>
<br>
It could work like this:<br>
<br>
The client sends a registration request that implies use of
an<br>
asymmetric key (e.g. JWT private key auth, or signed
requests) but<br>
doesn't provide any jwks_url or jwks parameter. In that case
the server<br>
generates a key pair and returns it with the jwks parameter
in the<br>
response JSON.<br>
<br>
Cheers,<br>
<br>
Vladimir<br>
<br>
--<br>
Vladimir Dzhuvinov : <a moz-do-not-send="true"
href="http://www.NimbusDS.com" target="_blank">www.NimbusDS.com</a>
: <a moz-do-not-send="true"
href="mailto:vladimir@nimbusds.com">vladimir@nimbusds.com</a><br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</body>
</html>