<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Alteratively, why would you want to
      force people who don't have the same tools that you do to invest
      the years that you have in order to get a new protocol running
      when there's a simpler alternative that's fairly easy to build
      from the ground up? :)<br>
      <br>
       -- Justin<br>
      <br>
      On 07/27/2012 01:36 PM, Anthony Nadalin wrote:<br>
    </div>
    <blockquote
cite="mid:B26C1EF377CB694EAB6BDDC8E624B6E75551F24D@BL2PRD0310MB362.namprd03.prod.outlook.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <meta name="Generator" content="Microsoft Word 14 (filtered
        medium)">
      <!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
      <style><!--
/* Font Definitions */
@font-face
        {font-family:Helvetica;
        panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
        {font-family:Helvetica;
        panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
span.EmailStyle19
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">If
            I have the tools already for x.509, why would I want to
            invest in another set of tools and have to work on them for
            years to get them to the point our x.509 tools are today?
            Not sure there should be a mandatory, there should be an
            equal option for both and you either implement one or the
            other oe both, but making JWK mandatory means everyone has
            to create new tooling and test the new tooling, etc.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <div>
          <div style="border:none;border-top:solid #B5C4DF
            1.0pt;padding:3.0pt 0in 0in 0in">
            <p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
                John Bradley [<a class="moz-txt-link-freetext" href="mailto:ve7jtb@ve7jtb.com">mailto:ve7jtb@ve7jtb.com</a>]
                <br>
                <b>Sent:</b> Friday, July 27, 2012 10:18 AM<br>
                <b>To:</b> Magnus Andersson<br>
                <b>Cc:</b> Anthony Nadalin;
                <a class="moz-txt-link-abbreviated" href="mailto:openid-connect-interop@googlegroups.com">openid-connect-interop@googlegroups.com</a>;
                <a class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>; Edmund Jay<br>
                <b>Subject:</b> Re: [Openid-specs-ab] Mandatory JWK
                Support for OpenID Connect<o:p></o:p></span></p>
          </div>
        </div>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal">There are some use cases where the use of
          PKIX trust relationships may be required.  <o:p></o:p></p>
        <div>
          <p class="MsoNormal"><o:p> </o:p></p>
        </div>
        <div>
          <p class="MsoNormal">In the EU there may be reasons to publish
            a x.509 cert so that the signature on the id_token is
            qualified digital signature for non repudiation at higher
            LOA.<o:p></o:p></p>
        </div>
        <div>
          <p class="MsoNormal"><o:p> </o:p></p>
        </div>
        <div>
          <p class="MsoNormal">I don't think anyone wants to remove the
            x.509 option.   <o:p></o:p></p>
        </div>
        <div>
          <p class="MsoNormal"><o:p> </o:p></p>
        </div>
        <div>
          <p class="MsoNormal">The question is if clients or servers
            MUST implement both, or if only one format needs to be
            mandatory for servers what should it be.<o:p></o:p></p>
        </div>
        <div>
          <p class="MsoNormal"><o:p> </o:p></p>
        </div>
        <div>
          <p class="MsoNormal">For simple clients JWK is arguably (I say
            that knowing Tony will argue) simpler to build as it doesn't
            need ASN1 parsing.   For servers x.509 certificates have
            existing tools.<o:p></o:p></p>
        </div>
        <div>
          <p class="MsoNormal"><o:p> </o:p></p>
        </div>
        <div>
          <p class="MsoNormal">Our design principal to this point is for
            pushing complexity from clients to servers.<o:p></o:p></p>
        </div>
        <div>
          <p class="MsoNormal"><o:p> </o:p></p>
        </div>
        <div>
          <p class="MsoNormal">John B.<o:p></o:p></p>
          <div>
            <div>
              <p class="MsoNormal">On 2012-07-27, at 8:06 AM, Magnus
                Andersson wrote:<o:p></o:p></p>
            </div>
            <p class="MsoNormal"><br>
              <br>
              <o:p></o:p></p>
            <p class="MsoNormal">Hi<o:p></o:p></p>
            <div>
              <p class="MsoNormal"><o:p> </o:p></p>
            </div>
            <div>
              <p class="MsoNormal">My name is Magnus I own a startup and
                I'm implementing OpenID Connect.<o:p></o:p></p>
              <div>
                <p class="MsoNormal"><o:p> </o:p></p>
              </div>
              <div>
                <p class="MsoNormal">As an implementor: if the
                  JWK-format is mandatory, exactly what added value does
                  optionally exposing x.509 certificates to the client
                  give? <o:p></o:p></p>
              </div>
              <div>
                <p class="MsoNormal"><o:p> </o:p></p>
              </div>
              <div>
                <p class="MsoNormal">As long as the JWK is mandatory I
                  personally don't see how optional x.509 certificates
                  would simplify anything for those who have existing
                  Public-key infrastructure. They still have to handle
                  the JWK case and map that to their PKI.<o:p></o:p></p>
              </div>
              <div>
                <p class="MsoNormal"><o:p> </o:p></p>
              </div>
              <div>
                <p class="MsoNormal">I recognize I don't know all the
                  history in this matter. But could the option to choose
                  only JWK (as it is already deemed mandatory) and skip
                  x.509 be added, to balance out the current options?  <o:p></o:p></p>
              </div>
              <div>
                <p class="MsoNormal"><o:p> </o:p></p>
              </div>
              <div>
                <p class="MsoNormal">BR Magnus Andersson<o:p></o:p></p>
              </div>
              <div>
                <p class="MsoNormal" style="margin-bottom:12.0pt">Solvies
                  AB<o:p></o:p></p>
                <div>
                  <p class="MsoNormal">2012/7/27 John Bradley <<a
                      moz-do-not-send="true"
                      href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>><o:p></o:p></p>
                  <div>
                    <p class="MsoNormal">Extracting a key from a
                      certificate is not that hard, to make a JWK out of
                      it.  <o:p></o:p></p>
                    <div>
                      <p class="MsoNormal"><o:p> </o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal">We can likely automate that.
                          People who want to support x509 are free to do
                        that it is just not mandatory for the client.  
                        For the basic client using the code flow there
                        is no MTI,  for the implicit flow  JWK is MTI if
                        you want general support.  I suppose if a client
                        just wants to talk to a specific IDP it could
                        just do x509 if that is supported.<o:p></o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal"><o:p> </o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal">The options are.<o:p></o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal">1 Client must support both
                        and server chooses<o:p></o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal">2 Server must support both
                        and client chooses<o:p></o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal">3 Server must support one and
                        the other is optional.<o:p></o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal"><o:p> </o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal">Tony are you saying you
                        prefer 1 or 2, or 3 your preference but making
                        x.509 the default.<o:p></o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal"><o:p> </o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal">There are advantages and
                        disadvantages to picking JWK as the default.  <o:p></o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal"><o:p> </o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal">It is true that most common
                        tools like openSSL easily produce self signed
                        certificates.<o:p></o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal">On the other hand they expire
                        and create run time issues later because some
                        people may try and do PKIX processing on them.  <o:p></o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal"><o:p> </o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal">This is a continual debate in
                        SAML over raw keys vs certificates.   Many
                        federations think raw keys cause less support
                        issues over time.<o:p></o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal"><o:p> </o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal">Thoughts?<o:p></o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal"><o:p> </o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal">John B.<o:p></o:p></p>
                    </div>
                    <div>
                      <div>
                        <div>
                          <div>
                            <div>
                              <p class="MsoNormal">On 2012-07-26, at
                                9:43 PM, Anthony Nadalin wrote:<o:p></o:p></p>
                            </div>
                            <p class="MsoNormal"><o:p> </o:p></p>
                          </div>
                        </div>
                        <blockquote
                          style="margin-top:5.0pt;margin-bottom:5.0pt">
                          <div>
                            <div>
                              <div>
                                <div>
                                  <div>
                                    <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">This
                                        creates problems with folks that
                                        already have a PIK
                                        infrastructure and want to use
                                        existing keys</span><o:p></o:p></p>
                                  </div>
                                  <div>
                                    <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
                                  </div>
                                  <div>
                                    <div
                                      style="border:none;border-top:solid
                                      #B5C4DF 1.0pt;padding:3.0pt 0in
                                      0in
                                      0in;border-width:initial;border-color:initial">
                                      <div>
                                        <p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Edmund
                                            Jay [mailto:<a
                                              moz-do-not-send="true"
                                              href="mailto:ejay@mgi1.com"
                                              target="_blank">ejay@mgi1.com</a>] <br>
                                            <b>Sent:</b> Thursday, July
                                            26, 2012 3:11 PM<br>
                                            <b>To:</b> Anthony Nadalin;
                                            <a moz-do-not-send="true"
                                              href="mailto:openid-specs-ab@lists.openid.net"
                                              target="_blank">
openid-specs-ab@lists.openid.net</a>; <a moz-do-not-send="true"
                                              href="mailto:openid-connect-interop@googlegroups.com"
                                              target="_blank">
openid-connect-interop@googlegroups.com</a><br>
                                            <b>Subject:</b> Re:
                                            [Openid-specs-ab] Mandatory
                                            JWK Support for OpenID
                                            Connect</span><o:p></o:p></p>
                                      </div>
                                    </div>
                                  </div>
                                  <div>
                                    <p class="MsoNormal"> <o:p></o:p></p>
                                  </div>
                                  <div>
                                    <div>
                                      <div>
                                        <p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">This
                                            is in reference to the open
                                            issue # 633 at <a
                                              moz-do-not-send="true"
href="http://hg.openid.net/connect/issue/633/messages-42-jwk-and-x509-format-support"
                                              target="_blank">http://hg.openid.net/connect/issue/633/messages-42-jwk-and-x509-format-support</a><br>
                                            The specs currently support
                                            x509 and JWK format for
                                            publishing public keys but
                                            is silent on which must be
                                            supported.<br>
                                            There may be interop
                                            problems related to
                                            cryptographic aspects of
                                            OpenID due to lack of common
                                            support between client and
                                            server.<br>
                                            <br>
                                            -- Edmund</span><o:p></o:p></p>
                                      </div>
                                    </div>
                                    <div>
                                      <div>
                                        <p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> </span><o:p></o:p></p>
                                      </div>
                                      <div>
                                        <div class="MsoNormal"
                                          style="text-align:center"
                                          align="center"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
                                            <hr align="center" size="1"
                                              width="100%">
                                          </span></div>
                                        <p class="MsoNormal"
                                          style="margin-bottom:12.0pt"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Anthony
                                            Nadalin <<a
                                              moz-do-not-send="true"
                                              href="mailto:tonynad@microsoft.com"
                                              target="_blank">tonynad@microsoft.com</a>><br>
                                            <b>To:</b> Edmund Jay <<a
                                              moz-do-not-send="true"
                                              href="mailto:ejay@mgi1.com"
                                              target="_blank">ejay@mgi1.com</a>>;
                                            "<a moz-do-not-send="true"
                                              href="mailto:openid-specs-ab@lists.openid.net"
                                              target="_blank">openid-specs-ab@lists.openid.net</a>"
                                            <<a
                                              moz-do-not-send="true"
                                              href="mailto:openid-specs-ab@lists.openid.net"
                                              target="_blank">openid-specs-ab@lists.openid.net</a>>;

                                            "<a moz-do-not-send="true"
                                              href="mailto:openid-connect-interop@googlegroups.com"
                                              target="_blank">openid-connect-interop@googlegroups.com</a>"
                                            <<a
                                              moz-do-not-send="true"
                                              href="mailto:openid-connect-interop@googlegroups.com"
                                              target="_blank">openid-connect-interop@googlegroups.com</a>><br>
                                            <b>Sent:</b> Thu, July 26,
                                            2012 1:46:41 PM<br>
                                            <b>Subject:</b> RE:
                                            [Openid-specs-ab] Mandatory
                                            JWK Support for OpenID
                                            Connect</span><o:p></o:p></p>
                                        <div>
                                          <div>
                                            <p class="MsoNormal"><span
                                                style="font-size:11.0pt;color:#1F497D">Can
                                                you provide the
                                                rationale or a pointer
                                                to the rationale?</span><o:p></o:p></p>
                                          </div>
                                          <div>
                                            <p class="MsoNormal"><span
                                                style="font-size:11.0pt;color:#1F497D"> </span><o:p></o:p></p>
                                          </div>
                                          <div>
                                            <div
                                              style="border:none;border-top:solid
                                              #B5C4DF
                                              1.0pt;padding:3.0pt 0in
                                              0in
                                              0in;border-width:initial;border-color:initial">
                                              <div>
                                                <p class="MsoNormal"><b><span
style="font-size:10.0pt">From:</span></b><span style="font-size:10.0pt"> <a
moz-do-not-send="true"
                                                      href="mailto:openid-specs-ab-bounces@lists.openid.net"
                                                      target="_blank">openid-specs-ab-bounces@lists.openid.net</a> <a
moz-do-not-send="true"
                                                      href="mailto:[mailto:openid-specs-ab-bounces@lists.openid.net]"
                                                      target="_blank">[mailto:openid-specs-ab-bounces@lists.openid.net]</a> <b>On

                                                      Behalf Of </b>Edmund
                                                    Jay<br>
                                                    <b>Sent:</b> Thursday,
                                                    July 26, 2012 11:58
                                                    AM<br>
                                                    <b>To:</b> <a
                                                      moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>; <a
moz-do-not-send="true"
                                                      href="mailto:openid-connect-interop@googlegroups.com"
                                                      target="_blank">openid-connect-interop@googlegroups.com</a><br>
                                                    <b>Subject:</b> [Openid-specs-ab]
                                                    Mandatory JWK
                                                    Support for OpenID
                                                    Connect</span><o:p></o:p></p>
                                              </div>
                                            </div>
                                          </div>
                                          <div>
                                            <p class="MsoNormal"> <o:p></o:p></p>
                                          </div>
                                          <div>
                                            <div>
                                              <p class="MsoNormal"><span
style="font-size:10.0pt">This is to inform everyone that the Working
                                                  Group has decided to
                                                  make JWK support
                                                  mandatory for both the
                                                  client and server.<br>
                                                  Feedbacks welcome.<br>
                                                  <br>
                                                  <br>
                                                  -- Edmund</span><o:p></o:p></p>
                                            </div>
                                          </div>
                                        </div>
                                      </div>
                                    </div>
                                  </div>
                                </div>
                              </div>
                            </div>
                            <p class="MsoNormal"><span
style="font-size:13.5pt;font-family:"Helvetica","sans-serif"">_______________________________________________<br>
                                Openid-specs-ab mailing list<br>
                                <a moz-do-not-send="true"
                                  href="mailto:Openid-specs-ab@lists.openid.net"
                                  target="_blank">Openid-specs-ab@lists.openid.net</a><br>
                                <a moz-do-not-send="true"
                                  href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
                                  target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></span></p>
                          </div>
                        </blockquote>
                      </div>
                      <p class="MsoNormal"><o:p> </o:p></p>
                    </div>
                  </div>
                  <p class="MsoNormal" style="margin-bottom:12.0pt"><br>
                    _______________________________________________<br>
                    Openid-specs-ab mailing list<br>
                    <a moz-do-not-send="true"
                      href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
                    <a moz-do-not-send="true"
                      href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
                      target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p>
                </div>
                <p class="MsoNormal"><o:p> </o:p></p>
                <div>
                  <p class="MsoNormal"><o:p> </o:p></p>
                </div>
                <p class="MsoNormal"><o:p> </o:p></p>
              </div>
            </div>
          </div>
          <p class="MsoNormal"><o:p> </o:p></p>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>