[Openid-specs-ab] request_uris parameter of Dynamic > Client Registration

John Bradley ve7jtb at ve7jtb.com
Wed Nov 26 21:39:05 UTC 2014

Servers rotating keys every couple of days is reasonable.  Mostly to make sure that clients not supporting key rotation break early.   If you only rotate them every 6 months people may just manually fix it every time it breaks.   

The RSA keys are 2048bit typically so should not need to be rotated for security reasons more than once a year and that mostly has to do with people wanting to charge for certificates in the PKIX world,  CA root keys are a similar length and live for decades if you think about it.   

Nothing wrong with rotating server keys. I recommend it, but you are mostly defending against someone steeling your private key and you not knowing about it.   Making sure rotation works for when something like heatleed hits is a good thing.

OAuth never considered rotating client secrets.   I think that was something I made up when doing the original dynamic client registration draft.    We considered a couple of options for symmetric keys but dropped it.   

What we added was jwks_url and asymetric authentication.

For god sake http basic is horribly insecure  rotating the key is not getting you all that much.  

The better answer is using signed JWT for client authentication using asymmetric keys if you care about security.

Trying to rotate symmetric keys that you leak in plain text on each call to the token_endpoint is not as useful as just biting the bullet and going to asymmetric signatures.

With the new spec you will be able to rotate symmetric secrets, but I personally wouldn't bother.

The spec is mostly useful in letting you change other config parameters without changing the client_id and invalidating sticky consents.

John B.

> On Nov 26, 2014, at 6:18 PM, Mike Schwartz <mike at gluu.org> wrote:
> Rotating the keys every two days is no problem, but how does the client update the client_secret?
> thx,
> Mike Schwartz
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4326 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20141126/7bdb3b42/attachment.p7s>

More information about the Openid-specs-ab mailing list