[Openid-specs-ab] user_jwk claim name

Mike Jones Michael.Jones at microsoft.com
Wed Jan 23 12:59:33 UTC 2013 

OK, please review this new definition then.  (It was previously missing from all the specs.)  It may be to OP-centric, given your comments below.

user_jwk
OPTIONAL. Public key value used to check the signature of an ID Token issued by a self-issued OpenID Provider, as specified in Section 5 of [OpenID.Standard]. The key is in JWK format. Use of the user_jwk Claim is REQUIRED when the OP is a self-issued OP and is NOT RECOMMENDED when the OP is not self-issued.

                                                            Thanks,
                                                            -- Mike

From: John Bradley [mailto:ve7jtb at ve7jtb.com]
Sent: Wednesday, January 23, 2013 4:56 AM
To: Mike Jones
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] user_jwk claim name

The JWK is tied to the sub not the OP.  The OP may have multiple keys if it has multiple persona.

If we change it,  sub_jwk would work.  I don't think op_jwk is correct.


On 2013-01-23, at 5:13 AM, Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>> wrote:


What should the "user_jwk" claim be called?  I suspect we named it "user_jwk" to be parallel with "user_id", but we've since changed the name "user_id" to "sub".  This claim contains the self-issued OP's public key that is used to check the signature of the ID token.

The name "op_jwk", for one thing, seems better than "user_jwk".  I say that because (I don't think) it's a key that's specific to the user.  It's a key that's specific to the OP.

I'm asking this now, because while we're continuing to tweak some names to be more intuitive before we issue the implementer's drafts, we should stop making breaking changes if at all after the implementer's drafts are out.

Any other preferences/ideas?

                                                            Thanks,
                                                            -- Mike

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130123/34bae329/attachment.html>

More information about the Openid-specs-ab mailing list