[Openid-specs-ab] Review Comments on Dyn Reg
John Bradley
ve7jtb at ve7jtb.com
Fri Nov 15 12:12:36 UTC 2013
The use is the same as jwks_uri but a push rather than a pull for native clients.
Without it native clients are limited to only symmetric key for authentication and AS are also limited to only symmetric encryption to the client.
Proof of possession is a future.
That said I doubt that there will be a big demand for this in native apps, so doing it later as an extension for native apps is fine with me.
John B.
On Nov 15, 2013, at 8:51 AM, Richer, Justin P. <jricher at mitre.org> wrote:
> It sounds too under defined at the moment, in my opinion -- especially for something as fundamental a security parameter as this. We can always extend/augment the fields in § 2.1 in the future after we get some people actually implementing it and trying it out.
>
> -- Justin
>
> On Nov 15, 2013, at 12:35 AM, Brian Campbell <bcampbell at pingidentity.com> wrote:
>
>> I could make one. It'd probably involve the introduction of a new
>> registration parameter (jwks probably).
>>
>> The larger question for the group, I think, is if this is something
>> that we should try to add at this point?
>>
>> On Thu, Nov 14, 2013 at 4:18 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:
>>> Is there a specific proposed text change?
>>> ________________________________
>>> From: Brian Campbell
>>> Sent: 11/14/2013 5:50 PM
>>> To: Torsten Lodderstedt
>>> Cc: Openid-specs Ab; Mike Jones
>>>
>>> Subject: Re: [Openid-specs-ab] Review Comments on Dyn Reg
>>>
>>> I think Torsten raises a good question here. The jwks_uri is great for
>>> clients that have a web server. But there's not really a good story
>>> for native clients who want to use anything other than a shared secret
>>> (for signatures, encryption or authentication to the token endpoint).
>>>
>>> Is it too limiting? Seems like it might be...
>>>
>>> On Wed, Nov 6, 2013 at 7:11 PM, Torsten Lodderstedt
>>> <torsten at lodderstedt.net> wrote:
>>>>
>>>> jwks_uri - How is this scheme supposed to work for native clients? I
>>>> assume
>>>> any instance of such an application would use a distinct key pair, which
>>>> is
>>>> stored locally. Is the client supposed to provide a web server interface?
>>>> I
>>>> would rather expect this kind of client to provide the public key data
>>>> directly.
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4507 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131115/7603c7ca/attachment.p7s>
More information about the Openid-specs-ab
mailing list