<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">"Let the customer decide" has already
caused interoperability issues in several instances. I think we
need to put a stake on the simple solution. JWK solves the problem
of key publishing in an HTTP-friendly, JSON-friendly format. <br>
<br>
Also, with JWK, as John pointed out, you can very easily translate
the keys in your certificates into the JWK format. It's a couple
lines of code on almost any platform. However, getting the public
keys inside of a JWK into a valid certificate is another issue. We
shouldn't be in the business of writing the spec to prop up legacy
architectures.<br>
<br>
-- Justin<br>
<br>
On 07/27/2012 03:14 PM, Anthony Nadalin wrote:<br>
</div>
<blockquote
cite="mid:B26C1EF377CB694EAB6BDDC8E624B6E75551F308@BL2PRD0310MB362.namprd03.prod.outlook.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">That’s
why I’m against a mandatory to implement as someone gets
screwed in this case. With JWK you’re asking that people
invest in a un proven technology when they may already have
proven technology that is working and proven, so let
customer decide.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
<a class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab-bounces@lists.openid.net">openid-specs-ab-bounces@lists.openid.net</a>
[<a class="moz-txt-link-freetext" href="mailto:openid-specs-ab-bounces@lists.openid.net">mailto:openid-specs-ab-bounces@lists.openid.net</a>]
<b>On Behalf Of </b>Justin Richer<br>
<b>Sent:</b> Friday, July 27, 2012 11:13 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-ab] Mandatory JWK
Support for OpenID Connect<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Alteratively, why would you want to force
people who don't have the same tools that you do to invest
the years that you have in order to get a new protocol
running when there's a simpler alternative that's fairly
easy to build from the ground up? :)<br>
<br>
-- Justin<br>
<br>
On 07/27/2012 01:36 PM, Anthony Nadalin wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">If
I have the tools already for x.509, why would I want to
invest in another set of tools and have to work on them
for years to get them to the point our x.509 tools are
today? Not sure there should be a mandatory, there should
be an equal option for both and you either implement one
or the other oe both, but making JWK mandatory means
everyone has to create new tooling and test the new
tooling, etc.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
John Bradley [<a moz-do-not-send="true"
href="mailto:ve7jtb@ve7jtb.com">mailto:ve7jtb@ve7jtb.com</a>]
<br>
<b>Sent:</b> Friday, July 27, 2012 10:18 AM<br>
<b>To:</b> Magnus Andersson<br>
<b>Cc:</b> Anthony Nadalin; <a moz-do-not-send="true"
href="mailto:openid-connect-interop@googlegroups.com">
openid-connect-interop@googlegroups.com</a>; <a
moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net">
openid-specs-ab@lists.openid.net</a>; Edmund Jay<br>
<b>Subject:</b> Re: [Openid-specs-ab] Mandatory JWK
Support for OpenID Connect</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">There are some use cases where the use of
PKIX trust relationships may be required. <o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">In the EU there may be reasons to
publish a x.509 cert so that the signature on the id_token
is qualified digital signature for non repudiation at
higher LOA.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">I don't think anyone wants to remove
the x.509 option. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">The question is if clients or servers
MUST implement both, or if only one format needs to be
mandatory for servers what should it be.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">For simple clients JWK is arguably (I
say that knowing Tony will argue) simpler to build as it
doesn't need ASN1 parsing. For servers x.509
certificates have existing tools.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Our design principal to this point is
for pushing complexity from clients to servers.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">John B.<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">On 2012-07-27, at 8:06 AM, Magnus
Andersson wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal">Hi<o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">My name is Magnus I own a startup
and I'm implementing OpenID Connect.<o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">As an implementor: if the
JWK-format is mandatory, exactly what added value
does optionally exposing x.509 certificates to the
client give? <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">As long as the JWK is mandatory I
personally don't see how optional x.509 certificates
would simplify anything for those who have existing
Public-key infrastructure. They still have to handle
the JWK case and map that to their PKI.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">I recognize I don't know all the
history in this matter. But could the option to
choose only JWK (as it is already deemed mandatory)
and skip x.509 be added, to balance out the current
options? <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">BR Magnus Andersson<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Solvies
AB<o:p></o:p></p>
<div>
<p class="MsoNormal">2012/7/27 John Bradley <<a
moz-do-not-send="true"
href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>><o:p></o:p></p>
<div>
<p class="MsoNormal">Extracting a key from a
certificate is not that hard, to make a JWK out
of it. <o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">We can likely automate
that. People who want to support x509 are
free to do that it is just not mandatory for
the client. For the basic client using the
code flow there is no MTI, for the implicit
flow JWK is MTI if you want general support.
I suppose if a client just wants to talk to a
specific IDP it could just do x509 if that is
supported.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">The options are.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">1 Client must support both
and server chooses<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">2 Server must support both
and client chooses<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">3 Server must support one
and the other is optional.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Tony are you saying you
prefer 1 or 2, or 3 your preference but making
x.509 the default.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">There are advantages and
disadvantages to picking JWK as the default. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">It is true that most common
tools like openSSL easily produce self signed
certificates.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">On the other hand they
expire and create run time issues later
because some people may try and do PKIX
processing on them. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">This is a continual debate
in SAML over raw keys vs certificates. Many
federations think raw keys cause less support
issues over time.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Thoughts?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">John B.<o:p></o:p></p>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">On 2012-07-26, at
9:43 PM, Anthony Nadalin wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">This
creates problems with folks
that already have a PIK
infrastructure and want to use
existing keys</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<div
style="border:none;border-top:solid
#B5C4DF 1.0pt;padding:3.0pt 0in
0in
0in;border-width:initial;border-color:initial">
<div>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Edmund
Jay [mailto:<a
moz-do-not-send="true"
href="mailto:ejay@mgi1.com"
target="_blank">ejay@mgi1.com</a>] <br>
<b>Sent:</b> Thursday,
July 26, 2012 3:11 PM<br>
<b>To:</b> Anthony
Nadalin; <a
moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net"
target="_blank">
openid-specs-ab@lists.openid.net</a>; <a moz-do-not-send="true"
href="mailto:openid-connect-interop@googlegroups.com"
target="_blank">
openid-connect-interop@googlegroups.com</a><br>
<b>Subject:</b> Re:
[Openid-specs-ab]
Mandatory JWK Support for
OpenID Connect</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">This
is in reference to the
open issue # 633 at <a
moz-do-not-send="true"
href="http://hg.openid.net/connect/issue/633/messages-42-jwk-and-x509-format-support"
target="_blank">http://hg.openid.net/connect/issue/633/messages-42-jwk-and-x509-format-support</a><br>
The specs currently
support x509 and JWK
format for publishing
public keys but is silent
on which must be
supported.<br>
There may be interop
problems related to
cryptographic aspects of
OpenID due to lack of
common support between
client and server.<br>
<br>
-- Edmund</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> </span><o:p></o:p></p>
</div>
<div>
<div class="MsoNormal"
style="text-align:center"
align="center"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<hr align="center"
size="1" width="100%">
</span></div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Anthony
Nadalin <<a
moz-do-not-send="true"
href="mailto:tonynad@microsoft.com"
target="_blank">tonynad@microsoft.com</a>><br>
<b>To:</b> Edmund Jay <<a
moz-do-not-send="true"
href="mailto:ejay@mgi1.com"
target="_blank">ejay@mgi1.com</a>>;
"<a moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>"
<<a
moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net"
target="_blank">openid-specs-ab@lists.openid.net</a>>;
"<a moz-do-not-send="true"
href="mailto:openid-connect-interop@googlegroups.com" target="_blank">openid-connect-interop@googlegroups.com</a>"
<<a
moz-do-not-send="true"
href="mailto:openid-connect-interop@googlegroups.com"
target="_blank">openid-connect-interop@googlegroups.com</a>><br>
<b>Sent:</b> Thu, July 26,
2012 1:46:41 PM<br>
<b>Subject:</b> RE:
[Openid-specs-ab]
Mandatory JWK Support for
OpenID Connect</span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D">Can you provide the rationale or
a pointer to the
rationale?</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<div
style="border:none;border-top:solid
#B5C4DF
1.0pt;padding:3.0pt 0in
0in
0in;border-width:initial;border-color:initial">
<div>
<p class="MsoNormal"><b><span
style="font-size:10.0pt">From:</span></b><span style="font-size:10.0pt"> <a
moz-do-not-send="true"
href="mailto:openid-specs-ab-bounces@lists.openid.net"
target="_blank">openid-specs-ab-bounces@lists.openid.net</a> <a
moz-do-not-send="true"
href="mailto:[mailto:openid-specs-ab-bounces@lists.openid.net]"
target="_blank">[mailto:openid-specs-ab-bounces@lists.openid.net]</a> <b>On
Behalf Of </b>Edmund
Jay<br>
<b>Sent:</b> Thursday,
July 26, 2012
11:58 AM<br>
<b>To:</b> <a
moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>; <a
moz-do-not-send="true"
href="mailto:openid-connect-interop@googlegroups.com"
target="_blank">openid-connect-interop@googlegroups.com</a><br>
<b>Subject:</b> [Openid-specs-ab]
Mandatory JWK
Support for OpenID
Connect</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt">This is to inform everyone that the Working
Group has decided to
make JWK support
mandatory for both
the client and
server.<br>
Feedbacks welcome.<br>
<br>
<br>
-- Edmund</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><span
style="font-size:13.5pt;font-family:"Helvetica","sans-serif"">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net"
target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><o:p></o:p></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Openid-specs-ab mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
</body>
</html>