[Openid-specs-ab] jku and x5u

Mike Jones Michael.Jones at microsoft.com
Tue Apr 2 18:27:31 UTC 2013


Yes, that's exactly it.  If you already know where the keys are or what they are (for instance, if you've established that information at registration time), there's no need to use these parameters.  But for some use cases, this is valuable information that can be dynamically provided.  (The Key ID ("kid") can also be dynamically provided, if appropriate to the use case.)

                                                                -- Mike

From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Tim Bray
Sent: Tuesday, April 02, 2013 11:19 AM
To: <openid-specs-ab at lists.openid.net>
Subject: [Openid-specs-ab] jku and x5u

Almost certainly I'm just missing something obvious, but I'm having trouble understanding why the jku and x5u header claims exist.  The idea is I get a message and believe the message's assertion about where I should go to get the cert to validate the message?  -T
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130402/d7a86438/attachment.html>


More information about the Openid-specs-ab mailing list