[jose] RFC-7517 section 4.5
Ricardo Pereira <rjoaopereira@gmail.com> Tue, 07 January 2020 10:46 UTC
Return-Path: <rjoaopereira@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 512F812001E for <jose@ietfa.amsl.com>; Tue, 7 Jan 2020 02:46:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pPsg5cLpHA5V for <jose@ietfa.amsl.com>; Tue, 7 Jan 2020 02:46:15 -0800 (PST)
Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47CA9120019 for <jose@ietf.org>; Tue, 7 Jan 2020 02:46:15 -0800 (PST)
Received: by mail-ed1-x52f.google.com with SMTP id i16so49967648edr.5 for <jose@ietf.org>; Tue, 07 Jan 2020 02:46:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=6RMupfm0/X+vBb7Ru/HUs0ezUZqOlVLsLqGla+mDgQQ=; b=WLuh2JumCj24mir+573ZwwzkTpwNUylAuJ+5ssaTRFsaJDx0rI0k2goT03lUNpwnIB 5pADxUvmdK4MTrK75VvMZ2nR0iJ2YLZs89DSAFM7cD1U10oyCunqJUDHqeyLrmNtZU+3 BXlhI5ksQdnF/cQp8B14Thomg31ogyuSlRZlJBHkMn2JGeU0RG0Fn5THI1Sp/gNfcTaU vPfHlofeu7yEF6zU4SLnR7tGvNfULIg60XCYAy8vt9zdK/pxEfiSVKy2+XQS2D02HctC vZVYP37mniI1HStqmxlKzu2vWjJe9voeAIIX3aAKlowf/iKTbvW90BRiKnDPHxkiW3CU +Ezg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=6RMupfm0/X+vBb7Ru/HUs0ezUZqOlVLsLqGla+mDgQQ=; b=mShmX27HcgPzRrO92vA12rklmEggcYh2AEnrT05OSYFsE/quiddVdx3nnWxTskD2BD aXV0zz4j/K/+wQZwSyHah/OhV6QYa988xvmZ00lB8C2AWi2JT1WWDShJk/YLU8DhaiXm J1cUah3Kmqd5UDfRNbmxRoM0BHXpksL1P21Yvzn/v2S5+fXLe1nngi7niNNKBFX2ekhn rIRHQM7OwYb9bpxaiuTsVIsR0jkHKsw7ZaXTBzWhLcRE2HgklhXdidGGfJtzJaLwm8LO Jp/Du1KK886U08TOVFD1jRsTR9mdHlgfK6fecLQqdbMd1dFvTdHYkj5nf2ueBDvVAkCS 9J9w==
X-Gm-Message-State: APjAAAWin0+U17Dt+dK3zOJBpounhksbUyFLaAvT3A+yH+SFD4Lu2GgM mlCA0cMDxadJf8xSmodY5lmcMth9yJp/NZcHDiFBlpjjurA=
X-Google-Smtp-Source: APXvYqxZbdymaCTOVXkdFcjQFH2N0LdiHna/rQ/NStXsvEokwAtsrbobKQ2zrtD3QBkEO83Co67oXwLzT0sUrxNIuEw=
X-Received: by 2002:aa7:cdcd:: with SMTP id h13mr109745396edw.42.1578393973574; Tue, 07 Jan 2020 02:46:13 -0800 (PST)
MIME-Version: 1.0
From: Ricardo Pereira <rjoaopereira@gmail.com>
Date: Tue, 07 Jan 2020 10:46:02 +0000
Message-ID: <CAMg6_=zwJgN9RKngR7E397qjhJpVMyRWZPzK+h4W9PRWA8p7NQ@mail.gmail.com>
To: jose@ietf.org
Content-Type: multipart/alternative; boundary="0000000000001c4ec2059b8a7c0d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/I5diGcJZ-OVSHQggC2WR9ExjfzA>
X-Mailman-Approved-At: Tue, 07 Jan 2020 05:21:43 -0800
Subject: [jose] RFC-7517 section 4.5
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jan 2020 11:37:25 -0000
Hello, I have a question regarding the section 4.5 of the RFC-7517 which states: 4.5 <https://tools.ietf.org/html/rfc7517#section-4.5>. "kid" (Key ID) Parameter The "kid" (key ID) parameter is used to match a specific key. This is used, for instance, to choose among a set of keys within a JWK Set during key rollover. The structure of the "kid" value is unspecified. When "kid" values are used within a JWK Set, different keys within the JWK Set SHOULD use distinct "kid" values. (One example in which different keys might use the same "kid" value is if they have different "kty" (key type) values but are considered to be equivalent alternatives by the application using them.) The "kid" value is a case-sensitive string. Use of this member is OPTIONAL. When used with JWS or JWE, the "kid" value is used to match a JWS or JWE "kid" Header Parameter value. The part which is raising concerns is: *When "kid" values are used within a JWK Set, different keys within the JWK Set SHOULD use distinct "kid" values.* Context: I am using an openid certified node library which does not allow for multiple keys with the same ID. An issue <https://github.com/panva/node-openid-client/issues/166> has been opened (and closed) where the author/maintainer states that the keys should have different kids and the problem is with the issuer. The issuer (based on identity server 4) which I connect to states the opposite. That the offending keys (the repeating ones) are not different keys but the same and, as such, can use the same kid. *Question:* Which party is correct? Thank you for your time, Ricardo Pereira
- Re: [jose] RFC-7517 section 4.5 Neil Madden
- [jose] RFC-7517 section 4.5 Ricardo Pereira