[Openid-specs-ab] Review Comments on Dyn Reg
John Bradley
ve7jtb at ve7jtb.com
Fri Nov 15 00:43:38 UTC 2013
Without update in registration there is no way to rotate keys if you push a JWK as part of registration. Where a JWKS URL's content can be updated.
For a native client where the choice is no asymmetric key or pushing a JWK so it can do proof of possession tokens in the future would be a good thing.
There are two options for native clients. One is having the client push the public key and the other would be for the registration server to return a private key.
While I think Google and some others do the latter, the best practice is to push the public key as that supports a TPM in the device if it is available.
John B.
On Nov 14, 2013, at 8:35 PM, Brian Campbell <bcampbell at pingidentity.com> wrote:
> I could make one. It'd probably involve the introduction of a new
> registration parameter (jwks probably).
>
> The larger question for the group, I think, is if this is something
> that we should try to add at this point?
>
> On Thu, Nov 14, 2013 at 4:18 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:
>> Is there a specific proposed text change?
>> ________________________________
>> From: Brian Campbell
>> Sent: 11/14/2013 5:50 PM
>> To: Torsten Lodderstedt
>> Cc: Openid-specs Ab; Mike Jones
>>
>> Subject: Re: [Openid-specs-ab] Review Comments on Dyn Reg
>>
>> I think Torsten raises a good question here. The jwks_uri is great for
>> clients that have a web server. But there's not really a good story
>> for native clients who want to use anything other than a shared secret
>> (for signatures, encryption or authentication to the token endpoint).
>>
>> Is it too limiting? Seems like it might be...
>>
>> On Wed, Nov 6, 2013 at 7:11 PM, Torsten Lodderstedt
>> <torsten at lodderstedt.net> wrote:
>>>
>>> jwks_uri - How is this scheme supposed to work for native clients? I
>>> assume
>>> any instance of such an application would use a distinct key pair, which
>>> is
>>> stored locally. Is the client supposed to provide a web server interface?
>>> I
>>> would rather expect this kind of client to provide the public key data
>>> directly.
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4507 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131114/7d17584c/attachment.p7s>
More information about the Openid-specs-ab
mailing list