[Openid-specs-ab] request_uris parameter of Dynamic > Client Registration

Mike Schwartz mike at gluu.org
Fri Nov 28 20:41:29 UTC 2014


John,

Very interesting. Thanks for the clarification.

At the Open Interconnect Consortium, some of the members assert that 
small IOT devices can't support asymetric cyrpto.

I'm neutral on the trust model. If the resource is valuable, I wouldn't 
rely on symmetric crypto either!

With all the potential IOT malware and viruses, its hard to trust even 
your home network... but given that... perhaps the idea is that you can 
trust your home network?

- Mike

-------------------------------------
Michael Schwartz
Gluu


On 2014-11-26 15:39, John Bradley wrote:
> Servers rotating keys every couple of days is reasonable.  Mostly to
> make sure that clients not supporting key rotation break early.   If
> you only rotate them every 6 months people may just manually fix it
> every time it breaks.
> 
> The RSA keys are 2048bit typically so should not need to be rotated
> for security reasons more than once a year and that mostly has to do
> with people wanting to charge for certificates in the PKIX world,  CA
> root keys are a similar length and live for decades if you think about
> it.
> 
> Nothing wrong with rotating server keys. I recommend it, but you are
> mostly defending against someone steeling your private key and you not
> knowing about it.   Making sure rotation works for when something like
> heatleed hits is a good thing.
> 
> OAuth never considered rotating client secrets.   I think that was
> something I made up when doing the original dynamic client
> registration draft.    We considered a couple of options for symmetric
> keys but dropped it.
> 
> What we added was jwks_url and asymetric authentication.
> 
> For god sake http basic is horribly insecure  rotating the key is not
> getting you all that much.
> 
> The better answer is using signed JWT for client authentication using
> asymmetric keys if you care about security.
> 
> Trying to rotate symmetric keys that you leak in plain text on each
> call to the token_endpoint is not as useful as just biting the bullet
> and going to asymmetric signatures.
> 
> With the new spec you will be able to rotate symmetric secrets, but I
> personally wouldn't bother.
> 
> The spec is mostly useful in letting you change other config
> parameters without changing the client_id and invalidating sticky
> consents.
> 
> John B.
> 
> 
>> On Nov 26, 2014, at 6:18 PM, Mike Schwartz <mike at gluu.org> wrote:
>> 
>> Rotating the keys every two days is no problem, but how does the 
>> client update the client_secret?
>> 
>> thx,
>> 
>> Mike Schwartz
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab




More information about the Openid-specs-ab mailing list