Generally, spec compliance is an issue with writers of libraries and vendors of solutions. It's well understood that any actual deployment can switch off any features it doesn't care about.<div><br></div><div>Choosing mandatory to support features gives guidance to library implementations and vendors as to the minimum subset they need to implement before they can label their product spec-compliant. If we think JWK is worth promoting as a convergence point, then marking it as mandatory helps that in the sense that many environments will support it since because it's easily available. It will not prevent any enterprise organization from using PKI-only solution, or any vendor from allowing PKI-only as a simple configuration of their product.</div>
<div><br></div><div>Since this is not an optional feature (i.e., some form of key distribution is required for the spec to work), then in principle it would be preferable to declare one option as mandatory to support. Choosing not to pick a mandatory option is somewhat in departure from common practice and would require a higher level of justification. That would not be the case if this were a truly optional feature.</div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jul 27, 2012 at 1:05 PM, Justin Richer <span dir="ltr"><<a href="mailto:jricher@mitre.org" target="_blank">jricher@mitre.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Speaking from an enterprise that does
have a PKI infrastructure, I wholeheartedly disagree with the
claim that this is going to be a deal breaker. I also
wholeheartedly disagree with whether or not we should be in the
business of replacing legacy technology with something better --
you could use the same arguments you have listed below to use SAML
over OpenID Connect, or any number of strawman arguments. I don't
buy it. We're trying to reinvent wheels with better wheels here.
Isn't that the whole point of going through this standardization
exercise again and again? We take what's been done before, figure
out what works and what doesn't, and make the best informed
decision to move forward.<br>
<br>
Besides, nobody is even suggesting that we drop support for x509,
merely make support for JWK the MTI standard. You still get to
keep all your certificates, you just get to publish them in a way
that makes it easier for new clients to use them. Your clients
that want to use x509 can still use x509. Nobody's telling them
not to. Your servers still get to publish the x509 certs. Nobody's
telling them not to.<br>
<br>
This should be an easy win for you and your users.<span class="HOEnZb"><font color="#888888"><br>
<br>
-- Justin</font></span><div><div class="h5"><br>
<br>
On 07/27/2012 03:40 PM, Anthony Nadalin wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">There
are other interop issues beside this one, so this is not the
break point. You should not be in the business mandating the
replacement of technology that works and is proven with
technology that may or may not work and has yet to be
proven, as enterprises care about these choices. This will
be a deal breaker for companies that already have a PKI
infrastructure and use keys/certificates within that
infrastructure.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Justin Richer [<a href="mailto:jricher@mitre.org" target="_blank">mailto:jricher@mitre.org</a>]
<br>
<b>Sent:</b> Friday, July 27, 2012 12:24 PM<br>
<b>To:</b> Anthony Nadalin<br>
<b>Cc:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-ab] Mandatory JWK
Support for OpenID Connect<u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">"Let the customer decide" has already
caused interoperability issues in several instances. I think
we need to put a stake on the simple solution. JWK solves
the problem of key publishing in an HTTP-friendly,
JSON-friendly format.
<br>
<br>
Also, with JWK, as John pointed out, you can very easily
translate the keys in your certificates into the JWK format.
It's a couple lines of code on almost any platform. However,
getting the public keys inside of a JWK into a valid
certificate is another issue. We shouldn't be in the
business of writing the spec to prop up legacy
architectures.<br>
<br>
-- Justin<br>
<br>
On 07/27/2012 03:14 PM, Anthony Nadalin wrote:<u></u><u></u></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">That’s
why I’m against a mandatory to implement as someone gets
screwed in this case. With JWK you’re asking that people
invest in a un proven technology when they may already
have proven technology that is working and proven, so let
customer decide.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a>
[<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">mailto:openid-specs-ab-bounces@lists.openid.net</a>]
<b>On Behalf Of </b>Justin Richer<br>
<b>Sent:</b> Friday, July 27, 2012 11:13 AM<br>
<b>To:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-ab] Mandatory JWK
Support for OpenID Connect</span><u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<p class="MsoNormal">Alteratively, why would you want to
force people who don't have the same tools that you do to
invest the years that you have in order to get a new
protocol running when there's a simpler alternative that's
fairly easy to build from the ground up? :)<br>
<br>
-- Justin<br>
<br>
On 07/27/2012 01:36 PM, Anthony Nadalin wrote:<u></u><u></u></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">If
I have the tools already for x.509, why would I want to
invest in another set of tools and have to work on them
for years to get them to the point our x.509 tools are
today? Not sure there should be a mandatory, there
should be an equal option for both and you either
implement one or the other oe both, but making JWK
mandatory means everyone has to create new tooling and
test the new tooling, etc.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
John Bradley [<a href="mailto:ve7jtb@ve7jtb.com" target="_blank">mailto:ve7jtb@ve7jtb.com</a>]
<br>
<b>Sent:</b> Friday, July 27, 2012 10:18 AM<br>
<b>To:</b> Magnus Andersson<br>
<b>Cc:</b> Anthony Nadalin; <a href="mailto:openid-connect-interop@googlegroups.com" target="_blank">
openid-connect-interop@googlegroups.com</a>; <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">
openid-specs-ab@lists.openid.net</a>; Edmund Jay<br>
<b>Subject:</b> Re: [Openid-specs-ab] Mandatory JWK
Support for OpenID Connect</span><u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">There are some use cases where the use
of PKIX trust relationships may be required. <u></u><u></u></p>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">In the EU there may be reasons to
publish a x.509 cert so that the signature on the
id_token is qualified digital signature for non
repudiation at higher LOA.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">I don't think anyone wants to remove
the x.509 option. <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">The question is if clients or servers
MUST implement both, or if only one format needs to be
mandatory for servers what should it be.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">For simple clients JWK is arguably (I
say that knowing Tony will argue) simpler to build as it
doesn't need ASN1 parsing. For servers x.509
certificates have existing tools.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Our design principal to this point is
for pushing complexity from clients to servers.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">John B.<u></u><u></u></p>
<div>
<div>
<p class="MsoNormal">On 2012-07-27, at 8:06 AM, Magnus
Andersson wrote:<u></u><u></u></p>
</div>
<p class="MsoNormal"><br>
<br>
<br>
<br>
<u></u><u></u></p>
<p class="MsoNormal">Hi<u></u><u></u></p>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">My name is Magnus I own a startup
and I'm implementing OpenID Connect.<u></u><u></u></p>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">As an implementor: if the
JWK-format is mandatory, exactly what added value
does optionally exposing x.509 certificates to the
client give? <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">As long as the JWK is mandatory
I personally don't see how optional x.509
certificates would simplify anything for those who
have existing Public-key infrastructure. They
still have to handle the JWK case and map that to
their PKI.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">I recognize I don't know all
the history in this matter. But could the option
to choose only JWK (as it is already deemed
mandatory) and skip x.509 be added, to balance out
the current options? <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">BR Magnus Andersson<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Solvies
AB<u></u><u></u></p>
<div>
<p class="MsoNormal">2012/7/27 John Bradley <<a href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>><u></u><u></u></p>
<div>
<p class="MsoNormal">Extracting a key from a
certificate is not that hard, to make a JWK
out of it. <u></u><u></u></p>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">We can likely automate
that. People who want to support x509 are
free to do that it is just not mandatory for
the client. For the basic client using the
code flow there is no MTI, for the implicit
flow JWK is MTI if you want general
support. I suppose if a client just wants
to talk to a specific IDP it could just do
x509 if that is supported.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">The options are.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">1 Client must support
both and server chooses<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">2 Server must support
both and client chooses<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">3 Server must support one
and the other is optional.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Tony are you saying you
prefer 1 or 2, or 3 your preference but
making x.509 the default.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">There are advantages and
disadvantages to picking JWK as the default.
<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">It is true that most
common tools like openSSL easily produce
self signed certificates.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">On the other hand they
expire and create run time issues later
because some people may try and do PKIX
processing on them. <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">This is a continual
debate in SAML over raw keys vs
certificates. Many federations think raw
keys cause less support issues over time.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Thoughts?<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">John B.<u></u><u></u></p>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">On 2012-07-26, at
9:43 PM, Anthony Nadalin wrote:<u></u><u></u></p>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">This
creates problems with folks
that already have a PIK
infrastructure and want to
use existing keys</span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
</div>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in;border-width:initial;border-color:initial">
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Edmund
Jay [mailto:<a href="mailto:ejay@mgi1.com" target="_blank">ejay@mgi1.com</a>] <br>
<b>Sent:</b> Thursday,
July 26, 2012 3:11 PM<br>
<b>To:</b> Anthony
Nadalin; <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">
openid-specs-ab@lists.openid.net</a>; <a href="mailto:openid-connect-interop@googlegroups.com" target="_blank">
openid-connect-interop@googlegroups.com</a><br>
<b>Subject:</b> Re:
[Openid-specs-ab]
Mandatory JWK Support
for OpenID Connect</span><u></u><u></u></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">This
is in reference to the
open issue # 633 at <a href="http://hg.openid.net/connect/issue/633/messages-42-jwk-and-x509-format-support" target="_blank">http://hg.openid.net/connect/issue/633/messages-42-jwk-and-x509-format-support</a><br>
The specs currently
support x509 and JWK
format for publishing
public keys but is
silent on which must be
supported.<br>
There may be interop
problems related to
cryptographic aspects of
OpenID due to lack of
common support between
client and server.<br>
<br>
-- Edmund</span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> </span><u></u><u></u></p>
</div>
<div>
<div class="MsoNormal" style="text-align:center" align="center"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<hr align="center" size="1" width="100%">
</span></div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Anthony
Nadalin <<a href="mailto:tonynad@microsoft.com" target="_blank">tonynad@microsoft.com</a>><br>
<b>To:</b> Edmund Jay
<<a href="mailto:ejay@mgi1.com" target="_blank">ejay@mgi1.com</a>>; "<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>"
<<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>>;
"<a href="mailto:openid-connect-interop@googlegroups.com" target="_blank">openid-connect-interop@googlegroups.com</a>"
<<a href="mailto:openid-connect-interop@googlegroups.com" target="_blank">openid-connect-interop@googlegroups.com</a>><br>
<b>Sent:</b> Thu, July
26, 2012 1:46:41 PM<br>
<b>Subject:</b> RE:
[Openid-specs-ab]
Mandatory JWK Support
for OpenID Connect</span><u></u><u></u></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d">Can you provide the rationale or
a pointer to the
rationale?</span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d"> </span><u></u><u></u></p>
</div>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in;border-width:initial;border-color:initial">
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt">From:</span></b><span style="font-size:10.0pt"> <a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a> <a href="mailto:[mailto:openid-specs-ab-bounces@lists.openid.net]" target="_blank">[mailto:openid-specs-ab-bounces@lists.openid.net]</a> <b>On
Behalf Of </b>Edmund
Jay<br>
<b>Sent:</b> Thursday,
July 26, 2012
11:58 AM<br>
<b>To:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>; <a href="mailto:openid-connect-interop@googlegroups.com" target="_blank">openid-connect-interop@googlegroups.com</a><br>
<b>Subject:</b> [Openid-specs-ab]
Mandatory JWK
Support for
OpenID Connect</span><u></u><u></u></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">This is to inform everyone that the Working
Group has decided
to make JWK
support mandatory
for both the
client and server.<br>
Feedbacks welcome.<br>
<br>
<br>
-- Edmund</span><u></u><u></u></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Helvetica","sans-serif"">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><u></u><u></u></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><u></u><u></u></p>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<p class="MsoNormal"><br>
<br>
<br>
<br>
<u></u><u></u></p>
<pre>_______________________________________________<u></u><u></u></pre>
<pre>Openid-specs-ab mailing list<u></u><u></u></pre>
<pre><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><u></u><u></u></pre>
<pre><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><u></u><u></u></pre>
</blockquote>
<p class="MsoNormal"> <u></u><u></u></p>
</blockquote>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</blockquote>
<br>
</div></div></div>
<br>_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>--Breno<br>
</div>