[Openid-specs-ab] JWK clarification

Mike Jones Michael.Jones at microsoft.com
Wed Jun 27 17:56:36 UTC 2012


The top-level format continues to be an array of keys.  Individual keys can also be used where appropriate.  In the following example, an array of keys is specified:

{"keys":
  [
    {"alg":"EC",
     "crv":"P-256",
     "x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
     "y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
     "use":"enc",
     "kid":"1"},

    {"alg":"RSA",
     "mod": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx
4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs
tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2
QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI
SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb
w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
     "exp":"AQAB",
     "kid":"2011-04-29"}
  ]
}

In this example, a single key is specified:

    {"alg":"EC",
     "crv":"P-256",
     "x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
     "y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
     "use":"enc",
     "kid":"1"}

The array format is used in contexts such as the key values retrieved for the JWS and JWE "jku" parameter where multiple keys may be specified.  The single key format is used in contexts such as the JWE "epk" parameter, where only a single key value is called for.

If this isn't clear, feel free to ask a follow-up question.

                                                            Best wishes,
                                                            -- Mike

From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Dingwell, Robert A.
Sent: Wednesday, June 27, 2012 9:04 AM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] JWK clarification

If I remember correctly the initial version of the JWK format specified the format as being an array of keys but the latest version of the JWK spec appears to have broken that idea out to where there is the key format and set format.

As both the client and the server have the option of providing signing and encrypting keys in JWK format are the urls for those keys intended to be a single JWK or a JWK set? Seeing how the specifications states that if both X509 and JWK urls are provided they must be the same key makes me believe that the url would point to a single key.  If it is a set how would one determine which key to use in the set considering that the set could contain a number of keys that are marked as signing or encrypting keys?

Rob

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120627/983522be/attachment.html>


More information about the Openid-specs-ab mailing list