[Openid-specs-ab] Key Management challenges with OpenID Connect Federation 1.0 - draft 00
Mike Schwartz
mike at gluu.org
Wed Jul 27 02:25:18 UTC 2016
OpenID Connect gurus:
I have many comments on the "OpenID Connect Federation 1.0 - draft 00",
but I'll start at this design question: Is this proposed trust model too
complicated?
Although key management is a well defined domain, in practice
organizations have significant challenges managing keys. There are a lot
of keys sprinkled around the organization, in a lot of formats.
If I am reading this proposal correctly, it suggests adding three long
lived keys: one each for the developer, RP and OP.
1) Is this really a good idea?
2) OpenID Connect key rotation is frequent. But the suggestion here is
that the federation keys would be infrequently / never updated. Why the
dichotomy? Inevitably when key rotation is required, what is the impact?
- Mike Schwartz
PS: There are many distracting typos. Is there a place to submit pull
requests so I don't waste time posting spelling corrections on the list?
-------------------------------------
Michael Schwartz
Gluu
http://gluu.org
More information about the Openid-specs-ab
mailing list