[Openid-specs-ab] jku and x5u
Tim Bray
tbray at textuality.com
Tue Apr 2 18:35:16 UTC 2013
Sorry, I’m probably failing to understand because I’m a crypto moron, but
if I want to use keys to validate a JWT allegedly from example.com, I’m not
going to believe anything in the JWT until I’ve checked using example.com’s
keys, so why should I believe the JWT’s assertion about where to get the
keys to validate it? -T
On Tue, Apr 2, 2013 at 11:27 AM, Mike Jones <Michael.Jones at microsoft.com>wrote:
> Yes, that’s exactly it. If you already know where the keys are or what
> they are (for instance, if you’ve established that information at
> registration time), there’s no need to use these parameters. But for some
> use cases, this is valuable information that can be dynamically provided.
> (The Key ID (“kid”) can also be dynamically provided, if appropriate to the
> use case.)****
>
> ** **
>
> -- Mike***
> *
>
> ** **
>
> *From:* openid-specs-ab-bounces at lists.openid.net [mailto:
> openid-specs-ab-bounces at lists.openid.net] *On Behalf Of *Tim Bray
> *Sent:* Tuesday, April 02, 2013 11:19 AM
> *To:* <openid-specs-ab at lists.openid.net>
> *Subject:* [Openid-specs-ab] jku and x5u****
>
> ** **
>
> Almost certainly I’m just missing something obvious, but I’m having
> trouble understanding why the jku and x5u header claims exist. The idea is
> I get a message and believe the message’s assertion about where I should go
> to get the cert to validate the message? -T****
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130402/f4967179/attachment.html>
More information about the Openid-specs-ab
mailing list