<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">

<meta name="Generator" content="Microsoft Word 14 (filtered medium)">

<style><!--

/* Font Definitions */

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

        {font-family:Tahoma;

        panose-1:2 11 6 4 3 5 4 4 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman","serif";}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {mso-style-priority:99;

        color:purple;

        text-decoration:underline;}

span.EmailStyle17

        {mso-style-type:personal-reply;

        font-family:"Calibri","sans-serif";

        color:#1F497D;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-family:"Calibri","sans-serif";}

@page WordSection1

        {size:8.5in 11.0in;

        margin:1.0in 1.0in 1.0in 1.0in;}

div.WordSection1

        {page:WordSection1;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

</head>

<body lang="EN-US" link="blue" vlink="purple">

<div class="WordSection1">

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I’ve pushed HTML versions of these changes to

</span><a href="http://openid.bitbucket.org">openid.bitbucket.org</a><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">.  The main place to review are

<a href="http://openid.bitbucket.org/openid-connect-messages-1_0.html#sigenc.key">

Messages 4.2</a> (Keys), 4.3 (Signing), and 4.4 (Encryption), including the key rotation sections in 4.3.1 and 4.4.1.  You could also review the “jwk_url” text in

<a href="http://openid.bitbucket.org/openid-connect-discovery-1_0.html#ProviderConfigurationResponse">

Discovery</a> and <a href="http://openid.bitbucket.org/openid-connect-registration-1_0.html#client-metadata">

Registration</a>.<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">                                                                -- Mike<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> openid-specs-ab-bounces@lists.openid.net [mailto:openid-specs-ab-bounces@lists.openid.net]

<b>On Behalf Of </b>Brian Campbell<br>

<b>Sent:</b> Friday, February 22, 2013 2:02 PM<br>

<b>To:</b> <openid-specs-ab@lists.openid.net><br>

<b>Subject:</b> [Openid-specs-ab] key publication text updated and rotation guidance added<o:p></o:p></span></p>

<p class="MsoNormal"><o:p> </o:p></p>

<div>

<div>

<div>

<p class="MsoNormal" style="margin-bottom:12.0pt">In working to resolve 703, 704 and 740 [1] over the last two days I've added the PKIX JWK key type (as well as an example) for X.509 certificates and consolidated the x509_uri, x509_encryption_uri, and jwk_encryption_uri

 parameters into a single combined jwk_uri parameter.  I've also provided suggested guidance about how to do key rotation of asymmetric keys for both signing and encryption using jwk_uri.<br>

<br>

I believe this is now a more consistent model that meets the full desired feature set. It might even be a simplification overall (it's no more complicated anyway). But I'm sure it could benefit from a review from some of the distinguished members of this list.

  The specific change sets are listed below[2] and I think Mike is going to push an update to the

<a href="http://openid.bitbucket.org">openid.bitbucket.org</a> HTML specs this afternoon, which will be a little more readable. The real heart of the changes are contained in Section 4 of Messages.<o:p></o:p></p>

</div>

<div>

<p class="MsoNormal"><o:p> </o:p></p>

</div>

<p class="MsoNormal">Thanks, <o:p></o:p></p>

</div>

<p class="MsoNormal">Brian<o:p></o:p></p>

<div>

<div>

<p class="MsoNormal"><br>

<br>

[1]<br>

<a href="https://bitbucket.org/openid/connect/issue/703/key-publication-needs-to-be-reworked">https://bitbucket.org/openid/connect/issue/703/key-publication-needs-to-be-reworked</a><br>

<a href="https://bitbucket.org/openid/connect/issue/704/provide-key-rollover-guidance">https://bitbucket.org/openid/connect/issue/704/provide-key-rollover-guidance</a><br>

<a href="https://bitbucket.org/openid/connect/issue/740/use-of-same-key-for-different-operations">https://bitbucket.org/openid/connect/issue/740/use-of-same-key-for-different-operations</a><br>

<br>

[2]<br>

<a href="https://bitbucket.org/openid/connect/commits/aa93484bd1270007c21a89713c716e43f494d9d3">https://bitbucket.org/openid/connect/commits/aa93484bd1270007c21a89713c716e43f494d9d3</a><br>

<a href="https://bitbucket.org/openid/connect/commits/c34bad3e1197acb80a7289f2a5a7adfb84c65310">https://bitbucket.org/openid/connect/commits/c34bad3e1197acb80a7289f2a5a7adfb84c65310</a><br>

<a href="https://bitbucket.org/openid/connect/commits/5a02032842fbe08ad85a578c821cdc3469ff0302">https://bitbucket.org/openid/connect/commits/5a02032842fbe08ad85a578c821cdc3469ff0302</a><br>

<a href="https://bitbucket.org/openid/connect/commits/0cf12e189a3abb55032ccd61f61a197eaab6cd18">https://bitbucket.org/openid/connect/commits/0cf12e189a3abb55032ccd61f61a197eaab6cd18</a><br>

<a href="https://bitbucket.org/openid/connect/commits/164747e934d9dd03cf87f8c9421bcead544d5ca2">https://bitbucket.org/openid/connect/commits/164747e934d9dd03cf87f8c9421bcead544d5ca2</a><br>

<br>

[3]<br>

<a href="http://openid.bitbucket.org/openid-connect-messages-1_0.html#sigenc">http://openid.bitbucket.org/openid-connect-messages-1_0.html#sigenc</a><o:p></o:p></p>

</div>

</div>

</div>

</div>

</body>

</html>