[Openid-specs-ab] request_uris parameter of Dynamic > Client Registration
mike at gluu.org
Fri Nov 28 20:41:29 UTC 2014
Very interesting. Thanks for the clarification.
At the Open Interconnect Consortium, some of the members assert that
small IOT devices can't support asymetric cyrpto.
I'm neutral on the trust model. If the resource is valuable, I wouldn't
rely on symmetric crypto either!
With all the potential IOT malware and viruses, its hard to trust even
your home network... but given that... perhaps the idea is that you can
trust your home network?
On 2014-11-26 15:39, John Bradley wrote:
> Servers rotating keys every couple of days is reasonable. Mostly to
> make sure that clients not supporting key rotation break early. If
> you only rotate them every 6 months people may just manually fix it
> every time it breaks.
> The RSA keys are 2048bit typically so should not need to be rotated
> for security reasons more than once a year and that mostly has to do
> with people wanting to charge for certificates in the PKIX world, CA
> root keys are a similar length and live for decades if you think about
> Nothing wrong with rotating server keys. I recommend it, but you are
> mostly defending against someone steeling your private key and you not
> knowing about it. Making sure rotation works for when something like
> heatleed hits is a good thing.
> OAuth never considered rotating client secrets. I think that was
> something I made up when doing the original dynamic client
> registration draft. We considered a couple of options for symmetric
> keys but dropped it.
> What we added was jwks_url and asymetric authentication.
> For god sake http basic is horribly insecure rotating the key is not
> getting you all that much.
> The better answer is using signed JWT for client authentication using
> asymmetric keys if you care about security.
> Trying to rotate symmetric keys that you leak in plain text on each
> call to the token_endpoint is not as useful as just biting the bullet
> and going to asymmetric signatures.
> With the new spec you will be able to rotate symmetric secrets, but I
> personally wouldn't bother.
> The spec is mostly useful in letting you change other config
> parameters without changing the client_id and invalidating sticky
> John B.
>> On Nov 26, 2014, at 6:18 PM, Mike Schwartz <mike at gluu.org> wrote:
>> Rotating the keys every two days is no problem, but how does the
>> client update the client_secret?
>> Mike Schwartz
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
More information about the Openid-specs-ab