[Openid-specs-ab] jku and x5u

Tim Bray tbray at textuality.com
Wed Apr 3 16:55:13 UTC 2013


My prejudice is that of someone who wants to write a library that will
be easy for RPs to use, in mainstream cases.

On Wed, Apr 3, 2013 at 1:54 AM,  <Axel.Nennker at telekom.de> wrote:
> Here are two use cases that would not work under the
> “${issuer}/.well-known/openid-configuration” assumption.
>
> 1)      The issuer has no control over the top level domain’s files

Yeah, the cost/benefit seems wrong to me here.  The cost of having
your own top-level space on the Net is so low, and the benefit of
having mechanically-discoverable OP metadata retrieval so high, that
if I were a library writer, I’m not sure I’d bother to try to support
this case.   If I’d been in this group at the start of the process I
would have questioned the wisdom of trying to support it in the spec.

> 2)      A self-issued OP on a phone
> The issuer could dynamically register its keys or provide the public key
> with the first token. The consumer would then ensure that the key is the
> same in subsequent tokens.

At the moment I’m not particularly interested in this use-case.  I
think that if it is to become a mainstream use-case for OIDC, there
needs to be a straightforward reliable procedure for library-writers
to follow, as there is for the case of
${issuer}/.wellknown/openid-configuration.  Maybe it’s already there
in the specs and I missed it?  -T

>
>
>
>
>
>
>
> From: openid-specs-ab-bounces at lists.openid.net
> [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Tim Bray
> Sent: Tuesday, April 02, 2013 11:55 PM
> To: Hannes Tschofenig
> Cc: <openid-specs-ab at lists.openid.net>
>
>
> Subject: Re: [Openid-specs-ab] jku and x5u
>
>
>
> From where I sit, the most obvious thing to do is look at the issuer claim,
> resolve ${issuer}/.well-known/openid-configuration, extract the jwk-url
> claim, fetch the jwk, and validate using that.  For the kind of
> consumer/internet stuff we do, wouldn't that nearly always be the right
> choice?
>
> -T
>
>
>
> On Tue, Apr 2, 2013 at 11:48 AM, Hannes Tschofenig
> <hannes.tschofenig at gmx.net> wrote:
>
> Hi Tim,
>
> There are three ways to shuffle keys around:
>
> * per value: you include the key in the message
> * per reference: you include a pointer to the key (e.g., a URL)
> * out-of-band: here you just give the key a name without telling where to
> find it.
>
> Needless to say that you have to be careful with all three mechanisms when
> it comes to security.
>
> You are already thinking about a complete use case that goes beyond what
> these header parameters by itself are able to answer.
>
> Ciao
> Hannes
>
>
>
>
> On 04/02/2013 09:35 PM, Tim Bray wrote:
>
> Sorry, I’m probably failing to understand because I’m a crypto moron,
> but if I want to use keys to validate a JWT allegedly from example.com
>
> <http://example.com>, I’m not going to believe anything in the JWT until
> I’ve checked using example.com <http://example.com>’s keys, so why
>
>
> should I believe the JWT’s assertion about where to get the keys to
> validate it?  -T
>
>
> On Tue, Apr 2, 2013 at 11:27 AM, Mike Jones <Michael.Jones at microsoft.com
>
> <mailto:Michael.Jones at microsoft.com>> wrote:
>
>     Yes, that’s exactly it.  If you already know where the keys are or
>     what they are (for instance, if you’ve established that information
>     at registration time), there’s no need to use these parameters.  But
>     for some use cases, this is valuable information that can be
>     dynamically provided.  (The Key ID (“kid”) can also be dynamically
>
>     provided, if appropriate to the use case.)____
>
>     __ __
>
>                                                                      --
>     Mike____
>
>     __ __
>
>     *From:*openid-specs-ab-bounces at lists.openid.net
>     <mailto:openid-specs-ab-bounces at lists.openid.net>
>     [mailto:openid-specs-ab-bounces at lists.openid.net
>     <mailto:openid-specs-ab-bounces at lists.openid.net>] *On Behalf Of
>     *Tim Bray
>     *Sent:* Tuesday, April 02, 2013 11:19 AM
>     *To:* <openid-specs-ab at lists.openid.net
>     <mailto:openid-specs-ab at lists.openid.net>>
>     *Subject:* [Openid-specs-ab] jku and x5u____
>
>     __ __
>
>
>
>     Almost certainly I’m just missing something obvious, but I’m having
>     trouble understanding why the jku and x5u header claims exist.  The
>     idea is I get a message and believe the message’s assertion about
>
>     where I should go to get the cert to validate the message?  -T____
>
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
>


More information about the Openid-specs-ab mailing list