[Openid-specs-ab] user_jwk claim name

Anthony Nadalin tonynad at microsoft.com
Wed Jan 23 16:09:34 UTC 2013 

Why is this an actual JWK and not a key identifier ?

From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Mike Jones
Sent: Wednesday, January 23, 2013 5:00 AM
To: John Bradley
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] user_jwk claim name

OK, please review this new definition then.  (It was previously missing from all the specs.)  It may be to OP-centric, given your comments below.

user_jwk
OPTIONAL. Public key value used to check the signature of an ID Token issued by a self-issued OpenID Provider, as specified in Section 5 of [OpenID.Standard]. The key is in JWK format. Use of the user_jwk Claim is REQUIRED when the OP is a self-issued OP and is NOT RECOMMENDED when the OP is not self-issued.

                                                            Thanks,
                                                            -- Mike

From: John Bradley [mailto:ve7jtb at ve7jtb.com]
Sent: Wednesday, January 23, 2013 4:56 AM
To: Mike Jones
Cc: openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Subject: Re: [Openid-specs-ab] user_jwk claim name

The JWK is tied to the sub not the OP.  The OP may have multiple keys if it has multiple persona.

If we change it,  sub_jwk would work.  I don't think op_jwk is correct.


On 2013-01-23, at 5:13 AM, Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>> wrote:

What should the "user_jwk" claim be called?  I suspect we named it "user_jwk" to be parallel with "user_id", but we've since changed the name "user_id" to "sub".  This claim contains the self-issued OP's public key that is used to check the signature of the ID token.

The name "op_jwk", for one thing, seems better than "user_jwk".  I say that because (I don't think) it's a key that's specific to the user.  It's a key that's specific to the OP.

I'm asking this now, because while we're continuing to tweak some names to be more intuitive before we issue the implementer's drafts, we should stop making breaking changes if at all after the implementer's drafts are out.

Any other preferences/ideas?

                                                            Thanks,
                                                            -- Mike

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130123/226f5d95/attachment.html>

More information about the Openid-specs-ab mailing list