<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
> We added a tools section listing <a class="moz-txt-link-freetext" href="http://jwt.io/">http://jwt.io/</a><br>
<br>
Now that we have that page, you might want to list the JWK generator
that we have:<br>
<br>
<a class="moz-txt-link-freetext" href="https://github.com/mitreid-connect/json-web-key-generator">https://github.com/mitreid-connect/json-web-key-generator</a><br>
<br>
It's a commandline Java app that uses the Nimbus library and
BouncyCastle to generate JWKs and JWK sets, with both public and
private keys. Our server uses the JWK format natively to store its
keys (no certs, yay!), and this is the tool we generally use to make
the keys for new deployments.<br>
<br>
-- Justin<br>
<br>
<br>
<div class="moz-cite-prefix">On 04/21/2014 07:43 PM, Mike Jones
wrote:<br>
</div>
<blockquote
cite="mid:4E1F6AAD24975D4BA5B16804296739439A18CC3F@TK5EX14MBXC288.redmond.corp.microsoft.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Spec call notes 21-Apr-14<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">John Bradley<o:p></o:p></p>
<p class="MsoNormal">Edmund Jay<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Agenda:<o:p></o:p></p>
<p class="MsoNormal"> OpenID 2.0 Transition Spec<o:p></o:p></p>
<p class="MsoNormal"> OAuth 2.0 Symmetric Proof of
Possession Spec<o:p></o:p></p>
<p class="MsoNormal"> Errata<o:p></o:p></p>
<p class="MsoNormal"> Upcoming Events<o:p></o:p></p>
<p class="MsoNormal"> Open Issues<o:p></o:p></p>
<p class="MsoNormal"> Google question to the list:
[Openid-specs-ab] nonce for code+id_token flow<o:p></o:p></p>
<p class="MsoNormal"> Libraries Page<o:p></o:p></p>
<p class="MsoNormal"> openid.net Web Site<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">OpenID 2.0 Transition Spec<o:p></o:p></p>
<p class="MsoNormal"> Nat is studying proposals<o:p></o:p></p>
<p class="MsoNormal"> He believes that the Google
proposal has some issues<o:p></o:p></p>
<p class="MsoNormal"> There appear to be three
ways to do this:<o:p></o:p></p>
<p class="MsoNormal"> 1. One way is to publish the
Issuer key in the OpenID 2.0 discovery (YADIS) document<o:p></o:p></p>
<p class="MsoNormal"> 2. Another way is to publish
the Issuer Identifier in the OpenID 2.0 discovery (YADIS)
document<o:p></o:p></p>
<p class="MsoNormal"> 3. Another way is to publish
the OpenID 2.0 verified identifier<o:p></o:p></p>
<p class="MsoNormal"> The downside of 1 is that it
doesn't account for key rotation<o:p></o:p></p>
<p class="MsoNormal"> 2 seems to make the most
sense. Nat will start a rough draft using this method.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">OAuth 2.0 Symmetric Proof of Possession
Spec<o:p></o:p></p>
<p class="MsoNormal"> This is the document
formerly known as "Transient Client Secret"<o:p></o:p></p>
<p class="MsoNormal"> Nat and John's spec needs to
be refreshed<o:p></o:p></p>
<p class="MsoNormal"> John plans to refresh it<o:p></o:p></p>
<p class="MsoNormal"> John also plans an
asymmetric version<o:p></o:p></p>
<p class="MsoNormal"> This may
address some of Chuck Mortimore's use cases<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Errata<o:p></o:p></p>
<p class="MsoNormal"> The next step seems to be to
write proposed text<o:p></o:p></p>
<p class="MsoNormal"> Mike will try
to have some text by the week of IIW<o:p></o:p></p>
<p class="MsoNormal"> Ideally we could review the
updated text at Yahoo! or at IIW<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Upcoming Events<o:p></o:p></p>
<p class="MsoNormal"> Pre-IIW event at Yahoo!,
Monday, May 5<o:p></o:p></p>
<p class="MsoNormal">
<a class="moz-txt-link-freetext" href="http://www.eventbrite.com/e/openid-foundation-workshop-tickets-1174511997">http://www.eventbrite.com/e/openid-foundation-workshop-tickets-1174511997</a><o:p></o:p></p>
<p class="MsoNormal"> We need an
updated "OpenID Connect Overview" talk<o:p></o:p></p>
<p class="MsoNormal">
Mike will try to put this together<o:p></o:p></p>
<p class="MsoNormal"> We likely
have some working group sessions during IIW itself<o:p></o:p></p>
<p class="MsoNormal">
We don't have much working time at Yahoo!<o:p></o:p></p>
<p class="MsoNormal"> Native
Applications will either be John or Paul<o:p></o:p></p>
<p class="MsoNormal"> Mobile
Profile may not have a GSMA representative<o:p></o:p></p>
<p class="MsoNormal">
Torsten would be a good person to lead this<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> European Identity
Conference, Tuesday, May 13<o:p></o:p></p>
<p class="MsoNormal">
<a class="moz-txt-link-freetext" href="http://www.id-conf.com/events/eic2014/agenda">http://www.id-conf.com/events/eic2014/agenda</a><o:p></o:p></p>
<p class="MsoNormal"> This will
probably be more presentation-oriented than interactive<o:p></o:p></p>
<p class="MsoNormal"> EIC is more
of an enterprise and privacy audience - less technical than
IIW<o:p></o:p></p>
<p class="MsoNormal">
Nat can think about possible differences from the Yahoo! deck<o:p></o:p></p>
<p class="MsoNormal">
We can also work on this during IIW<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Issues<o:p></o:p></p>
<p class="MsoNormal"> There were no new issues<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Google question to the list:
[Openid-specs-ab] nonce for code+id_token flow<o:p></o:p></p>
<p class="MsoNormal"> We don't think that a nonce
is technically necessary for the code flow<o:p></o:p></p>
<p class="MsoNormal"> But not
putting it in would cause interoperability problems<o:p></o:p></p>
<p class="MsoNormal"> If included, it will be the
same in both ID Tokens<o:p></o:p></p>
<p class="MsoNormal"> John will reply to the list<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Libraries Page<o:p></o:p></p>
<p class="MsoNormal"> We added Ping Federate and
Azure AD<o:p></o:p></p>
<p class="MsoNormal"> Others can
also supply product links to be listed<o:p></o:p></p>
<p class="MsoNormal"> We added a tools section
listing <a class="moz-txt-link-freetext" href="http://jwt.io/">http://jwt.io/</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">openid.net Web Site<o:p></o:p></p>
<p class="MsoNormal"> We probably want to merge
these pages:<o:p></o:p></p>
<p class="MsoNormal">
<a class="moz-txt-link-freetext" href="http://openid.net/foundation/community/">http://openid.net/foundation/community/</a><o:p></o:p></p>
<p class="MsoNormal">
<a class="moz-txt-link-freetext" href="http://openid.net/foundation/community/get-involved/">http://openid.net/foundation/community/get-involved/</a><o:p></o:p></p>
<p class="MsoNormal"> We also want to revise this
one and possibly make it easier to find:<o:p></o:p></p>
<p class="MsoNormal">
<a class="moz-txt-link-freetext" href="http://openid.net/foundation/community/mailing-lists/">http://openid.net/foundation/community/mailing-lists/</a><o:p></o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</body>
</html>