[Openid-specs-ab] What exactly is an X.509 URL?

Brian Campbell bcampbell at pingidentity.com
Fri Dec 28 15:25:44 UTC 2012

Messages §4.2 [1] says an OP's x509_url is the "URL of the OP's X.509
certificates in PEM format that are used by the Server for Signing the JWT"
while a client's x509_url is the "URL for the Client's PEM encoded X.509
Certificate or Certificate chain."  Discovery and Registration have text
consistent with that in Messages respectively.

I read that as saying that the client can have only a single signing
keypair and that its x509_url will have the associated PEM encoded
certificate and possibly the certificates in the chain that can be used to
"certify" it.  While the OP can have multiple singing keypairs and its
x509_url can have multiple PEM encoded certificates where each one
corresponds direct to one of the keypairs. But an OP doesn't have a way to
express a certificate chain.

Do I read that correctly? If so, why the difference? Why might a client
need to present a chain while an OP only the leaf certificates? I can see
an argument for not dealing with chains at all and treating the cert as
little more than a convenient container for the public key. But I'm
confused by the text that seems to support a chain for the client's key but
not for the OP's keys. Am I missing something?

JWS [2] and JWE [3] have a similarly named parameter (x5u / x.509 URL) that
is defined, as far as I can tell, more along the lines of the way the
Connect client uses it. Of course they don't all have to be exactly the
same but these specs are all pretty closely related and using the same term
for different things is potentially confusing.

Messages §4.2 also says that "if keys are specified in both X.509 and JWK
formats, they MUST be the same keys." I see how that works based for my
understanding of an OP's keys (one element in the "keys" array per cert)
but for clients I don't know what it would mean to have a cert chain in
JWK? I guess the JWK endpoint would be omitted in such a case? And does
this imply that the client's JWK endpoint can have only one key when
providing both an x509_url and jwk_url? Or is that always the case?

Sorry for rambling but I would greatly appropriate any clarification on the
above questions. And if the motivations for the way things are could be
explained, that would be very helpful too.


[1] http://openid.net/specs/openid-connect-messages-1_0-13.html#sigenc.key
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20121228/6a37d1e3/attachment.html>

More information about the Openid-specs-ab mailing list