[Openid-specs-ab] Question about secret_type: JWT
Andreas Åkre Solberg
andreas.solberg at uninett.no
Mon Aug 29 11:08:29 UTC 2011
On 29. aug. 2011, at 03:49, sakimura wrote:
> Just a little bit of history behind it.
Ah.. Thanks a lot. I was not aware of this.
> The Section 3.1.5 of the REDIRECT had JSS (http://jsonenc.info/jss/1.0/ )
> instead of JWT before. JSS has only one way and a MUST field called
> certs_uri. Since it is a PEM encoded X.509 certs, it does have iss etc.
> encoded into it.
>
> When we replaced JWS with JWT we lost this property.
> Therefore, we had to specify them but we have not yet done.
>
> The question then is: do we want to define how to validate iss etc. as well?
I believe this will become more clear when we have a (yet to be spec'ed) metadata format for OpenID Connect.
I assume the issuer identifier will be important for the provider metadata entry; and that validation on the client would be to perform a strict string comparison with the trusted metadata?
> OR shall we just rely on X.509 PKI?
I would strongly suggest that we do not consider x.509 as the only usable alternative.
After some years with real life experience with SAML federations and humans and openssl, gnutls and various certificates; I am very open to deal with plain keys.
Andreas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110829/1be51a28/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4448 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110829/1be51a28/attachment.p7s>
More information about the Openid-specs-ab
mailing list