<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Alteratively, why would you want to
force people who don't have the same tools that you do to invest
the years that you have in order to get a new protocol running
when there's a simpler alternative that's fairly easy to build
from the ground up? :)<br>
<br>
-- Justin<br>
<br>
On 07/27/2012 01:36 PM, Anthony Nadalin wrote:<br>
</div>
<blockquote
cite="mid:B26C1EF377CB694EAB6BDDC8E624B6E75551F24D@BL2PRD0310MB362.namprd03.prod.outlook.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">If
I have the tools already for x.509, why would I want to
invest in another set of tools and have to work on them for
years to get them to the point our x.509 tools are today?
Not sure there should be a mandatory, there should be an
equal option for both and you either implement one or the
other oe both, but making JWK mandatory means everyone has
to create new tooling and test the new tooling, etc.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
John Bradley [<a class="moz-txt-link-freetext" href="mailto:ve7jtb@ve7jtb.com">mailto:ve7jtb@ve7jtb.com</a>]
<br>
<b>Sent:</b> Friday, July 27, 2012 10:18 AM<br>
<b>To:</b> Magnus Andersson<br>
<b>Cc:</b> Anthony Nadalin;
<a class="moz-txt-link-abbreviated" href="mailto:openid-connect-interop@googlegroups.com">openid-connect-interop@googlegroups.com</a>;
<a class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>; Edmund Jay<br>
<b>Subject:</b> Re: [Openid-specs-ab] Mandatory JWK
Support for OpenID Connect<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">There are some use cases where the use of
PKIX trust relationships may be required. <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">In the EU there may be reasons to publish
a x.509 cert so that the signature on the id_token is
qualified digital signature for non repudiation at higher
LOA.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I don't think anyone wants to remove the
x.509 option. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The question is if clients or servers
MUST implement both, or if only one format needs to be
mandatory for servers what should it be.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">For simple clients JWK is arguably (I say
that knowing Tony will argue) simpler to build as it doesn't
need ASN1 parsing. For servers x.509 certificates have
existing tools.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Our design principal to this point is for
pushing complexity from clients to servers.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">John B.<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">On 2012-07-27, at 8:06 AM, Magnus
Andersson wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<p class="MsoNormal">Hi<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">My name is Magnus I own a startup and
I'm implementing OpenID Connect.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">As an implementor: if the
JWK-format is mandatory, exactly what added value does
optionally exposing x.509 certificates to the client
give? <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">As long as the JWK is mandatory I
personally don't see how optional x.509 certificates
would simplify anything for those who have existing
Public-key infrastructure. They still have to handle
the JWK case and map that to their PKI.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I recognize I don't know all the
history in this matter. But could the option to choose
only JWK (as it is already deemed mandatory) and skip
x.509 be added, to balance out the current options? <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">BR Magnus Andersson<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Solvies
AB<o:p></o:p></p>
<div>
<p class="MsoNormal">2012/7/27 John Bradley <<a
moz-do-not-send="true"
href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>><o:p></o:p></p>
<div>
<p class="MsoNormal">Extracting a key from a
certificate is not that hard, to make a JWK out of
it. <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">We can likely automate that.
People who want to support x509 are free to do
that it is just not mandatory for the client.
For the basic client using the code flow there
is no MTI, for the implicit flow JWK is MTI if
you want general support. I suppose if a client
just wants to talk to a specific IDP it could
just do x509 if that is supported.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The options are.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">1 Client must support both
and server chooses<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">2 Server must support both
and client chooses<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">3 Server must support one and
the other is optional.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Tony are you saying you
prefer 1 or 2, or 3 your preference but making
x.509 the default.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">There are advantages and
disadvantages to picking JWK as the default. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">It is true that most common
tools like openSSL easily produce self signed
certificates.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">On the other hand they expire
and create run time issues later because some
people may try and do PKIX processing on them. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">This is a continual debate in
SAML over raw keys vs certificates. Many
federations think raw keys cause less support
issues over time.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thoughts?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">John B.<o:p></o:p></p>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">On 2012-07-26, at
9:43 PM, Anthony Nadalin wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">This
creates problems with folks that
already have a PIK
infrastructure and want to use
existing keys</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<div
style="border:none;border-top:solid
#B5C4DF 1.0pt;padding:3.0pt 0in
0in
0in;border-width:initial;border-color:initial">
<div>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Edmund
Jay [mailto:<a
moz-do-not-send="true"
href="mailto:ejay@mgi1.com"
target="_blank">ejay@mgi1.com</a>] <br>
<b>Sent:</b> Thursday, July
26, 2012 3:11 PM<br>
<b>To:</b> Anthony Nadalin;
<a moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net"
target="_blank">
openid-specs-ab@lists.openid.net</a>; <a moz-do-not-send="true"
href="mailto:openid-connect-interop@googlegroups.com"
target="_blank">
openid-connect-interop@googlegroups.com</a><br>
<b>Subject:</b> Re:
[Openid-specs-ab] Mandatory
JWK Support for OpenID
Connect</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">This
is in reference to the open
issue # 633 at <a
moz-do-not-send="true"
href="http://hg.openid.net/connect/issue/633/messages-42-jwk-and-x509-format-support"
target="_blank">http://hg.openid.net/connect/issue/633/messages-42-jwk-and-x509-format-support</a><br>
The specs currently support
x509 and JWK format for
publishing public keys but
is silent on which must be
supported.<br>
There may be interop
problems related to
cryptographic aspects of
OpenID due to lack of common
support between client and
server.<br>
<br>
-- Edmund</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> </span><o:p></o:p></p>
</div>
<div>
<div class="MsoNormal"
style="text-align:center"
align="center"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<hr align="center" size="1"
width="100%">
</span></div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Anthony
Nadalin <<a
moz-do-not-send="true"
href="mailto:tonynad@microsoft.com"
target="_blank">tonynad@microsoft.com</a>><br>
<b>To:</b> Edmund Jay <<a
moz-do-not-send="true"
href="mailto:ejay@mgi1.com"
target="_blank">ejay@mgi1.com</a>>;
"<a moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net"
target="_blank">openid-specs-ab@lists.openid.net</a>"
<<a
moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net"
target="_blank">openid-specs-ab@lists.openid.net</a>>;
"<a moz-do-not-send="true"
href="mailto:openid-connect-interop@googlegroups.com"
target="_blank">openid-connect-interop@googlegroups.com</a>"
<<a
moz-do-not-send="true"
href="mailto:openid-connect-interop@googlegroups.com"
target="_blank">openid-connect-interop@googlegroups.com</a>><br>
<b>Sent:</b> Thu, July 26,
2012 1:46:41 PM<br>
<b>Subject:</b> RE:
[Openid-specs-ab] Mandatory
JWK Support for OpenID
Connect</span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D">Can
you provide the
rationale or a pointer
to the rationale?</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<div
style="border:none;border-top:solid
#B5C4DF
1.0pt;padding:3.0pt 0in
0in
0in;border-width:initial;border-color:initial">
<div>
<p class="MsoNormal"><b><span
style="font-size:10.0pt">From:</span></b><span style="font-size:10.0pt"> <a
moz-do-not-send="true"
href="mailto:openid-specs-ab-bounces@lists.openid.net"
target="_blank">openid-specs-ab-bounces@lists.openid.net</a> <a
moz-do-not-send="true"
href="mailto:[mailto:openid-specs-ab-bounces@lists.openid.net]"
target="_blank">[mailto:openid-specs-ab-bounces@lists.openid.net]</a> <b>On
Behalf Of </b>Edmund
Jay<br>
<b>Sent:</b> Thursday,
July 26, 2012 11:58
AM<br>
<b>To:</b> <a
moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>; <a
moz-do-not-send="true"
href="mailto:openid-connect-interop@googlegroups.com"
target="_blank">openid-connect-interop@googlegroups.com</a><br>
<b>Subject:</b> [Openid-specs-ab]
Mandatory JWK
Support for OpenID
Connect</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt">This is to inform everyone that the Working
Group has decided to
make JWK support
mandatory for both the
client and server.<br>
Feedbacks welcome.<br>
<br>
<br>
-- Edmund</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><span
style="font-size:13.5pt;font-family:"Helvetica","sans-serif"">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net"
target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></span></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</body>
</html>