[Openid-specs-ab] Messages dynamic OP MTI: Clarify "bare" keys

Vladimir Dzhuvinov / NimbusDS vladimir at nimbusds.com
Tue Jul 2 20:19:12 UTC 2013


My reading of the JWK-11 and JWA-11 specs is that you can't actually
have a JWK, e.g. an RSA pub JWK, that omits the "bare" key parameters
(e.g. "n" and "e") and only has "x5c" or "x5u" in it. So a client should
always be able to ignore the "x5c"/"x5u" and obtain the bare key params
from the JWK. Please, correct me if I'm wrong.

I suspect the current wording about "bare" and X.509 keys is a leftover
from the time when OIDC permitted the keys to be published in both
formats.

Vladimir

--
Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com



-------- Original Message --------
Subject: Re: [Openid-specs-ab] Messages dynamic OP MTI: Clarify "bare"
keys
From: Justin Richer <jricher at mitre.org>
Date: Tue, July 02, 2013 8:46 pm
To: Vladimir Dzhuvinov / NimbusDS <vladimir at nimbusds.com>
Cc: <openid-specs-ab at lists.openid.net>

I think the problem is that JWK can now represent keys as certificate 
chains using the X509 embedded format, as well as just bare keys. Might 
be a good editorial change for Final to have it say both "JWK" and "bare

keys" just to be explicit.

 -- Justin

On 07/02/2013 03:39 PM, Vladimir Dzhuvinov / NimbusDS wrote:
> Hi guys,
>
> '''
> Public Keys Published as Bare Keys
> These OPs MUST publish their public keys as bare keys, rather than
> in X.509 format.
> '''
>
> I think we could make the spec a bit more precise here by using the term
> JSON Web Keys (JWK) instead of "bare keys".
>
> Cheers,
>
> Vladimir
>
> --
> Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab


More information about the Openid-specs-ab mailing list