<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<font face="Helvetica, Arial, sans-serif">Thanks! This is helpful!</font><br>
<br>
<div class="moz-cite-prefix">On 1/9/19 1:51 PM, Filip Skokan wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CALAqi_8r_h=Rcf8K1OS7Sbd=xP=hzCqpF4FWE27RcW56NvzEKA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div>Actually <span style="color:rgb(0,0,0)">7591 is, just the
update/delete isn't.</span></div>
<br>
<div>Filip</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Wed, Jan 9, 2019 at 7:46 PM Filip Skokan <<a
href="mailto:panva.ip@gmail.com" moz-do-not-send="true">panva.ip@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>Hi George,</div>
<div><br>
</div>
<div>We touched on this in the certification
issue tracker</div>
<div><br>
</div>
<div dir="ltr"><a
href="https://github.com/openid-certification/oidctest/issues/59"
target="_blank" moz-do-not-send="true">https://github.com/openid-certification/oidctest/issues/59</a>
(initial access token)</div>
<div dir="ltr"><a
href="https://github.com/openid-certification/oidctest/issues/60"
target="_blank" moz-do-not-send="true">https://github.com/openid-certification/oidctest/issues/60</a>
(software id)<br>
</div>
<div dir="ltr"><a
href="https://github.com/openid-certification/oidctest/issues/72"
target="_blank" moz-do-not-send="true">https://github.com/openid-certification/oidctest/issues/72</a>
(software statement)<br>
</div>
<div dir="ltr"><br>
</div>
<div>From #59 by Mike</div>
<div><br>
</div>
</div>
</div>
</div>
<blockquote style="margin:0px 0px 0px
40px;border:none;padding:0px">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>> This seems like something that
could be useful for testing but it's
outside the scope of certification,
since it's using functionality that's
not interoperable. An OP must support
open registration to enable
certification. It's fine to also support
an initial access token in the software,
as long as the deployment doesn't
require it when certifying the software.</div>
</div>
</div>
</div>
</blockquote>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<div>To certify, the registration must be
open at the time of certification only.</div>
<div dir="ltr"><br>
</div>
</div>
</div>
</div>
</div>
</div>
<blockquote style="margin:0px 0px 0px
40px;border:none;padding:0px">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>>1. Is there any best practice
recommendations around OIDC dynamic
client registration. I'm specifically
interested in experience where the
mobile app is using a private key
generated on the device and/or use of
software_statements with OIDC.</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<div dir="ltr">
<blockquote style="margin:0px 0px 0px
40px;border:none;padding:0px">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>>2. Why can't the application
(once it's registered its public key)
update its configuration with a new
public thus supporting key rotation? It
should be able to sign any such update
with its existing private key thus
making the request secure.</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</blockquote>
It surely can, but the Update (and Delete)
mechanisms aren't mentioned in OIDC DCR at all and
only come in RFC 7592 which is marked as
experimental. That being said i have seen
deployments of this using my OP software including
software statements, initial access tokens,
registration access tokens and
per-app private_key_jwt enabled clients that rotate
its keys when they want to.</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">I'm not familiar with the history
of Dynamic Client Registration Management Protocol
and why it's marked as experimental or why neither
RFC 7591 or 7592 aren't mentioned in the OIDC spec.<br>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><br clear="all">
<div>
<div dir="ltr"
class="gmail-m_-4152039870256580343gmail_signature">Best,<br>
<b>Filip</b></div>
</div>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Wed, Jan 9, 2019 at 5:22 PM George
Fletcher via Openid-specs-ab <<a
href="mailto:openid-specs-ab@lists.openid.net"
target="_blank" moz-do-not-send="true">openid-specs-ab@lists.openid.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
Since the OIDC dynamic client registration specs were
published before <br>
the RFCs for OAuth2, there is no mention of the use of <br>
software_statements. However, the OIDC flows allow for use
of additional <br>
parameters. What's not clear to me is how an
implementation can be <br>
certified for OIDC DCR if it requires software statements.<br>
<br>
Also, if the client is going to be a mobile app client and
generate a <br>
private key locally on the device (or via trusted
hardware) it seems <br>
that it MUST use the 'jwks' parameter and NOT the
'jwks_uri' parameter. <br>
However, the use of the 'jwks' parameter is kind of
discouraged by the <br>
spec language saying that 'jwks_uri' should be used if
possible do to <br>
"key rotation not supported" with the 'jwks' parameter.<br>
<br>
All this leads to a couple of questions...<br>
<br>
1. Is there any best practice recommendations around OIDC
dynamic client <br>
registration. I'm specifically interested in experience
where the mobile <br>
app is using a private key generated on the device and/or
use of <br>
software_statements with OIDC.<br>
<br>
2. Why can't the application (once it's registered it's
public key) <br>
update it's configuration with a new public thus
supporting key <br>
rotation? It should be able to sign any such update with
its existing <br>
private key thus making the request secure.<br>
<br>
Thanks,<br>
George<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net"
target="_blank" moz-do-not-send="true">Openid-specs-ab@lists.openid.net</a><br>
<a
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>