[jose] HTTPS JWKS style key rotation for SAML/XML-DSig
Brian Campbell <bcampbell@pingidentity.com> Fri, 26 June 2015 15:43 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4105A1A882D for <jose@ietfa.amsl.com>; Fri, 26 Jun 2015 08:43:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.079
X-Spam-Level:
X-Spam-Status: No, score=-0.079 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G4wIt-AR_UIF for <jose@ietfa.amsl.com>; Fri, 26 Jun 2015 08:43:57 -0700 (PDT)
Received: from mail-ie0-f181.google.com (mail-ie0-f181.google.com [209.85.223.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED14B1A8825 for <jose@ietf.org>; Fri, 26 Jun 2015 08:43:56 -0700 (PDT)
Received: by iebmu5 with SMTP id mu5so78142003ieb.1 for <jose@ietf.org>; Fri, 26 Jun 2015 08:43:56 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=dqks4xh0yjtIYTLQdpsb6RyB+r/5TLnfd+3DbgD+kTk=; b=aCjlkoQtHK7Qvm5W4WXcOmui16N1G0UO3gzFKmWqxCaCstUQeKhW54X5vY9YIsTp+M SKOgODm8X7ECgpG690vP5XtP2i9STKwEe9iOE9fwMG6Dcu6F0wge8P2dFj1437zx7LJO ydjQNinmf3bMwRbv7ue3mQQI30d0n+ZUlj95O0oN58IrhqJ9lhMon5q+0m08mvo1MKPn X/LHCKmLyxpDETIKbEOJyTUfZLW11WX0WT61r6TTQ5YK/8ex2gdjQraUd+Jx4Kw1xGxJ +ryrqoRXJO6cRwnWbiEZkTtY3Gq8bKRmclTWj8QoALHh2MjqwbNe+9cTXEnCl8nZ2S2z 5OsA==
X-Gm-Message-State: ALoCoQkWZTeAS3Ir9ivQMSvrl6gbqE78aOXk6aGJGeC6Mq9tly/vVRUHluVDdmfx+JP17yTHfC8s
X-Received: by 10.43.19.131 with SMTP id qk3mr4158425icb.15.1435333436253; Fri, 26 Jun 2015 08:43:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.64.209 with HTTP; Fri, 26 Jun 2015 08:43:26 -0700 (PDT)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 26 Jun 2015 09:43:26 -0600
Message-ID: <CA+k3eCSfX1_DO+bwNx1RdPPpfkFPr1JJNXb3m8P9Xt_6x111EQ@mail.gmail.com>
To: "<openid-specs-ab@lists.openid.net>" <openid-specs-ab@lists.openid.net>, oauth <oauth@ietf.org>, "jose@ietf.org" <jose@ietf.org>
Content-Type: multipart/alternative; boundary="bcaec517cddc9a46cc05196d9b60"
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/eRMUX-XhPVoVvl0RXNKL0AVcTdE>
Subject: [jose] HTTPS JWKS style key rotation for SAML/XML-DSig
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jun 2015 15:43:58 -0000
This document <https://goo.gl/6uWxT7>[0] was something done during the course of some work a few months ago - it briefly proposes how a JWK Key ID can be used within an XML Signature to convey to the recipient what key was used to sign the XML and thusly what key to use to verify the signature. It's not rocket surgery but maybe a useful thing to codify, which might help with migration and coexistence of older and newer protocols. Anyway, no action required or even suggested here. I just wanted to put the idea out there and the mailing lists of a few of these (sorta) related WGs seemed as good a place as any. [0] https://goo.gl/6uWxT7
- [jose] HTTPS JWKS style key rotation for SAML/XML… Brian Campbell