[Openid-specs-ab] jku and x5u

Tim Bray tbray at textuality.com
Tue Apr 2 18:35:16 UTC 2013


Sorry, I’m probably failing to understand because I’m a crypto moron, but
if I want to use keys to validate a JWT allegedly from example.com, I’m not
going to believe anything in the JWT until I’ve checked using example.com’s
keys, so why should I believe the JWT’s assertion about where to get the
keys to validate it?  -T


On Tue, Apr 2, 2013 at 11:27 AM, Mike Jones <Michael.Jones at microsoft.com>wrote:

>  Yes, that’s exactly it.  If you already know where the keys are or what
> they are (for instance, if you’ve established that information at
> registration time), there’s no need to use these parameters.  But for some
> use cases, this is valuable information that can be dynamically provided.
> (The Key ID (“kid”) can also be dynamically provided, if appropriate to the
> use case.)****
>
> ** **
>
>                                                                 -- Mike***
> *
>
> ** **
>
> *From:* openid-specs-ab-bounces at lists.openid.net [mailto:
> openid-specs-ab-bounces at lists.openid.net] *On Behalf Of *Tim Bray
> *Sent:* Tuesday, April 02, 2013 11:19 AM
> *To:* <openid-specs-ab at lists.openid.net>
> *Subject:* [Openid-specs-ab] jku and x5u****
>
> ** **
>
> Almost certainly I’m just missing something obvious, but I’m having
> trouble understanding why the jku and x5u header claims exist.  The idea is
> I get a message and believe the message’s assertion about where I should go
> to get the cert to validate the message?  -T****
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130402/f4967179/attachment-0001.html>


More information about the Openid-specs-ab mailing list