[Openid-specs-ab] Messages dynamic OP MTI: Clarify "bare" keys
Vladimir Dzhuvinov / NimbusDS
vladimir at nimbusds.com
Tue Jul 2 20:19:12 UTC 2013
My reading of the JWK-11 and JWA-11 specs is that you can't actually
have a JWK, e.g. an RSA pub JWK, that omits the "bare" key parameters
(e.g. "n" and "e") and only has "x5c" or "x5u" in it. So a client should
always be able to ignore the "x5c"/"x5u" and obtain the bare key params
from the JWK. Please, correct me if I'm wrong.
I suspect the current wording about "bare" and X.509 keys is a leftover
from the time when OIDC permitted the keys to be published in both
Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com
-------- Original Message --------
Subject: Re: [Openid-specs-ab] Messages dynamic OP MTI: Clarify "bare"
From: Justin Richer <jricher at mitre.org>
Date: Tue, July 02, 2013 8:46 pm
To: Vladimir Dzhuvinov / NimbusDS <vladimir at nimbusds.com>
Cc: <openid-specs-ab at lists.openid.net>
I think the problem is that JWK can now represent keys as certificate
chains using the X509 embedded format, as well as just bare keys. Might
be a good editorial change for Final to have it say both "JWK" and "bare
keys" just to be explicit.
On 07/02/2013 03:39 PM, Vladimir Dzhuvinov / NimbusDS wrote:
> Hi guys,
> Public Keys Published as Bare Keys
> These OPs MUST publish their public keys as bare keys, rather than
> in X.509 format.
> I think we could make the spec a bit more precise here by using the term
> JSON Web Keys (JWK) instead of "bare keys".
> Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
More information about the Openid-specs-ab