<div dir="ltr"><div>In the interest of full disclosure, as the naive fool who originally wrote those potentially problematic words about key rotation*, I can sometimes get a little defense to criticism of them. But do keep in mind that Connect Core is a final published specification and errata changes can't/shouldn't break existing deployments or functionality. Also, as far as I know, this stuff has been working okay for many years. <br></div><div><br></div><div>For normal behaviour the "signer can begin using a new key at its discretion and signals the change to the verifier using the kid value" works okay. But yes there is an opportunity for abuse by a malicious actor sending lots of unknown kid values. The verifying party not refetching the jwks_uri content more than once per some smallish time period, as Filip described, is a reasonable means of guarding against something like that. But a legitimate key roll to a newly published key during an 'attack' like that with those protections in place might result in some service disruption with erroneous invalid signatures until the new key at the jwks_uri is successfully retrieved. If the signer also waits a bit after publishing the new key before using it, that service disruption would presumably be avoided because (as long as the throttling period and the wait period matched up okay) the verifying party would have gotten the new key at some point previously. <br></div><div><br></div><div>I think that mandating that stuff is probably too far for an errata 6 or 7 years later. But maybe some text with suggestions along those lines and descriptions of why would be useful and reasonable for an errata?</div><div><br></div><div><br></div><div><br></div><div>* <a href="https://bitbucket.org/openid/connect/commits/164747e934d9dd03cf87f8c9421bcead544d5ca2#Lopenid-connect-messages-1_0.xmlT2556" target="_blank">https://bitbucket.org/openid/connect/commits/164747e934d9dd03cf87f8c9421bcead544d5ca2#Lopenid-connect-messages-1_0.xmlT2556</a></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 23, 2020 at 5:29 AM Torsten Lodderstedt via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Thanks for the explanation. <br>
<br>
> On 23. Mar 2020, at 09:54, Filip Skokan <<a href="mailto:panva.ip@gmail.com" target="_blank">panva.ip@gmail.com</a>> wrote:<br>
> <br>
> So the WG questions<br>
> • should we do something about that language to suggest that signature recipients may omit fetching external jwks_uri resources if they already did so recently?<br>
<br>
Sounds reasonable to me. Is it feasible? I’m asking since I assume this requires a particular cashing strategy, which aligns with the test suite’s expectations. <br>
<br>
> • should we extend the attestation statement to allow for other rotation tests to be attested to allow implementers to have mechanisms that protect their infrastructure.<br>
> <br>
<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr"> <div style="padding:0px;margin:0px"> <table style="border-collapse:collapse;padding:0px;margin:0px"> <tbody><tr> <td style="width:113px"> <a href="https://www.pingidentity.com" target="_blank"></a><a href="https://www.pingidentity.com" target="_blank"><img alt="Ping Identity" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/ping-logo.png"></a> </td> <td> <table> <tbody><tr> <td style="vertical-align:top"> <span style="color:rgb(230,29,60);display:inline-block;margin-bottom:3px;font-family:arial,helvetica,sans-serif;font-weight:bold;font-size:14px">Brian Campbell</span> <br> <span style="color:rgb(0,0,0);display:inline-block;margin-bottom:2px;font-family:arial,helvetica,sans-serif;font-weight:normal;font-size:14px">Distinguished Engineer</span> <br> <span style="font-family:arial,helvetica,sans-serif;font-size:14px;display:inline-block;margin-bottom:3px"><a href="mailto:bcampbell@pingidentity.com" target="_blank">bcampbell@pingidentity.com</a></span> <br> <span style="color:rgb(0,0,0);display:inline-block;margin-bottom:2px;font-family:arial,helvetica,sans-serif;font-weight:normal;font-size:14px"> w: +1 720.317.2061</span> <br> <span style="color:rgb(0,0,0);display:inline-block;margin-bottom:2px;font-family:arial,helvetica,sans-serif;font-weight:normal;font-size:14px"> c: +1 303.918.9415</span> </td> </tr> </tbody></table> </td> </tr> <tr> <td colspan="2"> <table style="border-collapse:collapse;border:medium none;margin:8px 0px 0px;width:100%"> <tbody><tr style="height:40px;border-top:1px solid rgb(211,211,211);border-bottom:1px solid rgb(211,211,211)"> <td style="font-family:arial,helvetica,sans-serif;font-size:14px;font-weight:bold;color:rgb(64,71,75)">Connect with us: </td> <td style="padding:4px 0px 0px 20px"> <a href="https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm" style="text-decoration:none;margin-right:16px" title="Ping on Glassdoor" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-glassdoor.png" style="border: medium none; margin: 0px;" alt="Glassdoor logo"></a> <a href="https://www.linkedin.com/company/21870" style="text-decoration:none;margin-right:16px" title="Ping on LinkedIn" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-linkedin.png" style="border: medium none; margin: 0px;" alt="LinkedIn logo"></a> <a href="https://twitter.com/pingidentity" style="text-decoration:none;margin-right:16px" title="Ping on Twitter" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-twitter.png" style="border: medium none; margin: 0px;" alt="twitter logo"></a> <a href="https://www.facebook.com/pingidentitypage" style="text-decoration:none;margin-right:16px" title="Ping on Facebook" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-facebook.png" style="border: medium none; margin: 0px;" alt="facebook logo"></a> <a href="https://www.youtube.com/user/PingIdentityTV" style="text-decoration:none;margin-right:16px" title="Ping on Youtube" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-youtube.png" style="border: medium none; margin: 0px 0px 3px;" alt="youtube logo"></a> <a href="https://www.pingidentity.com/en/blog.html" style="text-decoration:none;margin-right:16px" title="Ping Blog" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-blog.png" style="border: medium none; margin: 0px;" alt="Blog logo"></a> </td> </tr> </tbody></table> </td> </tr> </tbody></table><a href="https://www.google.com/url?q=https://www.pingidentity.com/content/dam/ping-6-2-assets/Assets/faqs/en/consumer-attitudes-post-breach-era-3375.pdf?id%3Db6322a80-f285-11e3-ac10-0800200c9a66&source=gmail&ust=1541693608526000&usg=AFQjCNGBl5cPHCUAVKGZ_NnpuFj5PHGSUQ" target="_blank"></a><a href="https://www.pingidentity.com/en/events/d/identify-2019.html" target="_blank"></a><a href="https://www.pingidentity.com/content/dam/ping-6-2-assets/Assets/Misc/en/3464-consumersurvey-execsummary.pdf" target="_blank"></a><a href="https://www.pingidentity.com/en/events/e/rsa.html" target="_blank"></a><a href="https://www.pingidentity.com/en/events/e/rsa.html" target="_blank"></a><a href="https://www.pingidentity.com/en/lp/e/enabling-work-from-home-with-MFA.html" target="_blank"><img src="https://www.pingidentity.com/content/dam/ping-6-2-assets/images/misc/emailSignature/2020/MFA-offer.jpg"></a> </div><div style="padding:0px;margin:0px"><i><span>If you’re not a current customer, click </span><a href="https://www.pingidentity.com/en/lp/e/work-from-home-sso-mfa.html?utm_source=Email&utm_campaign=WF-COVID19-New-EMSIG" target="_blank">here</a><span> for a more relevant offer.</span></i></div></div>
<br>
<i style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:rgb(255,255,255);font-family:proxima-nova-zendesk,system-ui,-apple-system,system-ui,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;color:rgb(85,85,85)"><span style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"><font size="2">CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i>