[jose] RFC-7517 section 4.5

Ricardo Pereira <rjoaopereira@gmail.com> Tue, 07 January 2020 10:46 UTC

Return-Path: <rjoaopereira@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 512F812001E for <jose@ietfa.amsl.com>; Tue, 7 Jan 2020 02:46:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id pPsg5cLpHA5V for <jose@ietfa.amsl.com>; Tue, 7 Jan 2020 02:46:15 -0800 (PST)
Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47CA9120019 for <jose@ietf.org>; Tue, 7 Jan 2020 02:46:15 -0800 (PST)
Received: by mail-ed1-x52f.google.com with SMTP id i16so49967648edr.5 for <jose@ietf.org>; Tue, 07 Jan 2020 02:46:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=6RMupfm0/X+vBb7Ru/HUs0ezUZqOlVLsLqGla+mDgQQ=; b=WLuh2JumCj24mir+573ZwwzkTpwNUylAuJ+5ssaTRFsaJDx0rI0k2goT03lUNpwnIB 5pADxUvmdK4MTrK75VvMZ2nR0iJ2YLZs89DSAFM7cD1U10oyCunqJUDHqeyLrmNtZU+3 BXlhI5ksQdnF/cQp8B14Thomg31ogyuSlRZlJBHkMn2JGeU0RG0Fn5THI1Sp/gNfcTaU vPfHlofeu7yEF6zU4SLnR7tGvNfULIg60XCYAy8vt9zdK/pxEfiSVKy2+XQS2D02HctC vZVYP37mniI1HStqmxlKzu2vWjJe9voeAIIX3aAKlowf/iKTbvW90BRiKnDPHxkiW3CU +Ezg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=6RMupfm0/X+vBb7Ru/HUs0ezUZqOlVLsLqGla+mDgQQ=; b=mShmX27HcgPzRrO92vA12rklmEggcYh2AEnrT05OSYFsE/quiddVdx3nnWxTskD2BD aXV0zz4j/K/+wQZwSyHah/OhV6QYa988xvmZ00lB8C2AWi2JT1WWDShJk/YLU8DhaiXm J1cUah3Kmqd5UDfRNbmxRoM0BHXpksL1P21Yvzn/v2S5+fXLe1nngi7niNNKBFX2ekhn rIRHQM7OwYb9bpxaiuTsVIsR0jkHKsw7ZaXTBzWhLcRE2HgklhXdidGGfJtzJaLwm8LO Jp/Du1KK886U08TOVFD1jRsTR9mdHlgfK6fecLQqdbMd1dFvTdHYkj5nf2ueBDvVAkCS 9J9w==
X-Gm-Message-State: APjAAAWin0+U17Dt+dK3zOJBpounhksbUyFLaAvT3A+yH+SFD4Lu2GgM mlCA0cMDxadJf8xSmodY5lmcMth9yJp/NZcHDiFBlpjjurA=
X-Google-Smtp-Source: APXvYqxZbdymaCTOVXkdFcjQFH2N0LdiHna/rQ/NStXsvEokwAtsrbobKQ2zrtD3QBkEO83Co67oXwLzT0sUrxNIuEw=
X-Received: by 2002:aa7:cdcd:: with SMTP id h13mr109745396edw.42.1578393973574; Tue, 07 Jan 2020 02:46:13 -0800 (PST)
MIME-Version: 1.0
From: Ricardo Pereira <rjoaopereira@gmail.com>
Date: Tue, 7 Jan 2020 10:46:02 +0000
Message-ID: <CAMg6_=zwJgN9RKngR7E397qjhJpVMyRWZPzK+h4W9PRWA8p7NQ@mail.gmail.com>
To: jose@ietf.org
Content-Type: multipart/alternative; boundary="0000000000001c4ec2059b8a7c0d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/I5diGcJZ-OVSHQggC2WR9ExjfzA>
X-Mailman-Approved-At: Tue, 07 Jan 2020 05:21:43 -0800
Subject: [jose] RFC-7517 section 4.5
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jan 2020 11:37:25 -0000


I have a question regarding the section 4.5 of the RFC-7517 which states:

4.5 <https://tools.ietf.org/html/rfc7517#section-4.5>.  "kid" (Key ID) Parameter

   The "kid" (key ID) parameter is used to match a specific key.  This
   is used, for instance, to choose among a set of keys within a JWK Set
   during key rollover.  The structure of the "kid" value is
   unspecified.  When "kid" values are used within a JWK Set, different
   keys within the JWK Set SHOULD use distinct "kid" values.  (One
   example in which different keys might use the same "kid" value is if
   they have different "kty" (key type) values but are considered to be
   equivalent alternatives by the application using them.)  The "kid"
   value is a case-sensitive string.  Use of this member is OPTIONAL.
   When used with JWS or JWE, the "kid" value is used to match a JWS or
   JWE "kid" Header Parameter value.

The part which is raising concerns is:

*When "kid" values are used within a JWK Set, different keys within
the JWK Set SHOULD use distinct "kid" values.*


I am using an openid certified node library which does not allow for
multiple keys with the same ID.
An issue <https://github.com/panva/node-openid-client/issues/166> has
been opened (and closed) where the author/maintainer states that the
keys should have different kids and the problem is with the issuer.

The issuer (based on identity server 4) which I connect to states the
opposite. That the offending keys (the repeating ones) are not
different keys but the same and, as such, can use the same kid.


Which party is correct?

Thank you for your time,

Ricardo Pereira