[jose] http://www.rfc-editor.org/info/rfc7517
Ahmet Soormally <ahmet@mangomm.co.uk> Wed, 06 May 2020 11:23 UTC
Return-Path: <ahmet@mangomm.co.uk>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EC683A094A for <jose@ietfa.amsl.com>; Wed, 6 May 2020 04:23:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MM44Ra7Yy4yP for <jose@ietfa.amsl.com>; Wed, 6 May 2020 04:23:30 -0700 (PDT)
Received: from smtp73.ord1c.emailsrvr.com (smtp73.ord1c.emailsrvr.com [108.166.43.73]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00DF03A0945 for <jose@ietf.org>; Wed, 6 May 2020 04:23:29 -0700 (PDT)
X-Auth-ID: ahmet@mangomm.co.uk
Received: by smtp26.relay.ord1c.emailsrvr.com (Authenticated sender: ahmet-AT-mangomm.co.uk) with ESMTPSA id D4BB5E009E; Wed, 6 May 2020 07:23:28 -0400 (EDT)
X-Sender-Id: ahmet@mangomm.co.uk
Received: from Ahmets-MBP-2.Home ([UNAVAILABLE]. [90.209.122.248]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA) by 0.0.0.0:465 (trex/5.7.12); Wed, 06 May 2020 07:23:29 -0400
To: jose@ietf.org
From: Ahmet Soormally <ahmet@mangomm.co.uk>
Cc: ahmet@tyk.io
Message-ID: <47375314-21e1-10c6-ccf7-d71b2a27ba46@mangomm.co.uk>
Date: Wed, 06 May 2020 12:23:27 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Language: en-GB
X-Classification-ID: 1d1d71bd-a7f2-48b9-92f9-36bfa0801ff0-1-1
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/XVeD1sLxm_jrsKZ7SPdWdUODKCU>
X-Mailman-Approved-At: Wed, 06 May 2020 06:38:52 -0700
Subject: [jose] http://www.rfc-editor.org/info/rfc7517
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2020 11:33:27 -0000
Hello Jose, Hope you are well. I am writing with regards to proposing a change to rfc7517. It appears that some identity providers are very purist, and do not return x5c. It's an optional field. Whilst other identity providers do provide the x5c certificate. The x5c certificate is extremely useful. It negates the need for a library or application to be able to translate the modulus and exponent. Many libraries do not support this natively, meaning custom code needs to be written in order to perform this translation of formats in order to provide a standardised, interoperable interface & more easily foster interoperability & federation between multiple IdPs. https://github.com/asoorm/tyk-go-plugins/blob/master/merge_jwks/merge_jwks.go#L143-L194 It would be great if you could consider making the x5c certificate mandatory for RSA public keys, or provide any guidance in this regard. For example, as an API Gateway, I need to be able to support obtaining JWT public keys from the jwks_uri. and if each IdP does it differently, then this puts the onus on the gateway to perform the translation, where it could be very easily implemented at the issuer of the certificate's side. Further, it will ensure separation of concerns, where the gateway doesn't need to perform these operations, because the required data is already presentable in a consistent format. The certificate issuer will only ever need to update the certificates upon rotation. But the client using them will need to perform the translation every time. With thanks Ahmet
- [jose] http://www.rfc-editor.org/info/rfc7517 Ahmet Soormally
- Re: [jose] http://www.rfc-editor.org/info/rfc7517 Jim Schaad
- Re: [jose] Consensus call on charter for JSON Web… nadalin