IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC for JWK Thumbprint URI document

Mike Jones <Michael.Jones@microsoft.com> Fri, 18 February 2022 18:35 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D00403A0E6B for <oauth@ietfa.amsl.com>; Fri, 18 Feb 2022 10:35:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.975
X-Spam-Level:
X-Spam-Status: No, score=-1.975 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.576, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_SBL=0.5, URIBL_SBL_A=0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zSeI7eXEAM07 for <oauth@ietfa.amsl.com>; Fri, 18 Feb 2022 10:35:49 -0800 (PST)
Received: from na01-obe.outbound.protection.outlook.com (mail-eus2azlp170100002.outbound.protection.outlook.com [IPv6:2a01:111:f403:c110::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CF963A12E1 for <oauth@ietf.org>; Fri, 18 Feb 2022 10:35:49 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=m4PK7xsEb9Hg4CIezI69CsAdwqqOzRW3MwUS8bJIAzb5hMLTQkegD+4Y511upIVaAtakJ41sdkXjjqc9MJrazvF1MX2X5dhb07BZ7HPZPSnAlOzcr8jRL2olsM7bjzF7HbEjfOQATvWAL5Yg+VbVDyUFQmm9LmF+rAJ89f7cuf9PMWXAuS2RiknzhB8YUXsUiTk5F2CseiK3mnJ9POWd4NvvFiUC/NyZ9AmyQYfVm08zLo0JF19sd1eQIkf+qoRhOIQzyLcET7+xCwz+sy59srGSLHH4E/yOtjfFvcMZGfrORm54LOoZF3gRtmuPFuOXUbw2iUsyyEaBDeeEXJKjOw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1oqmV7iSnAPUbU+B9HaQU2spvegF4hKNQ6FBzCTc7D0=; b=kiIwtL+j+MMm/pZCt9LRBrypBqoesgGVNz/Lf8BUaVgEnofssIXuAgmAzLxDvNXDvlqkT/yBSY9PL14H0AgqBApTjO7ASipWR2es5ROvsZzH4brh7av/B7PWuj1RCxdsG8ezQUwzz2xr59l4UO+/qFCAg7n7mfVuyO/WZn3o8cjUmMbhl40c5bfgBRRxAZT9Ptzd7SFAsliu2I4y/j6L0PhBa+a3HyovZ6F2qhuq38wzj+sU6El2MwLe20l4DWqEe7E+yVd+EIFBKl6lu2Exz+xwOtGE10v3xKOIexcfk1TEeS9l8Oiol2YM50c2FZcdHU8f7SNTOdGqktoBMPPwww==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1oqmV7iSnAPUbU+B9HaQU2spvegF4hKNQ6FBzCTc7D0=; b=WmHr61KEWjizCrDGbSkWJbJEgJhm9oEjPKfD4Yh0/bh3PcF+5SEtHTTqHsEq5j1uZTpT1Y2h9wrnwySEGocY12MmM5/Doe0QtROMC2+nupesHiFWjIwRyrlppZFKjpLaspOGwmNt40U0BB/C4GAPrlk4LABZjzpJ7rbWMxvtbYw=
Received: from SA2PR00MB1002.namprd00.prod.outlook.com (2603:10b6:806:11a::8) by SJ0PR00MB1038.namprd00.prod.outlook.com (2603:10b6:a03:2aa::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5035.0; Fri, 18 Feb 2022 18:35:45 +0000
Received: from SA2PR00MB1002.namprd00.prod.outlook.com ([fe80::606b:1776:cae2:5b14]) by SA2PR00MB1002.namprd00.prod.outlook.com ([fe80::606b:1776:cae2:5b14%7]) with mapi id 15.20.5041.000; Fri, 18 Feb 2022 18:35:45 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: David Chadwick <d.w.chadwick@verifiablecredentials.info>, Kristina Yasuda <Kristina.Yasuda@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] WGLC for JWK Thumbprint URI document
Thread-Index: Adgk9lYwKBrT56kNRrSD7UD+Mo6T5Q==
Date: Fri, 18 Feb 2022 18:35:45 +0000
Message-ID: <SA2PR00MB1002A2789C1441D359B03BB1F5379@SA2PR00MB1002.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2022-02-18T18:35:43Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=32bb6c2b-8e39-432e-aa7b-5ee79c2d8890; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 70051c74-aeac-46b6-3e0e-08d9f30d7a1d
x-ms-traffictypediagnostic: SJ0PR00MB1038:EE_
x-ms-exchange-atpmessageproperties: SA|SL
x-microsoft-antispam-prvs: <SJ0PR00MB1038B9D4B3EAE84089C573E0F5379@SJ0PR00MB1038.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0XFnZERd9Mfn+7PEVtX5UWqs7J6UGT10bWkw9+AxzjtsVBZ3TEOEo8zRlqrlQ3k7bozqnxUDo3oEEcwGWMiaWVR006aFwam4O4MYc5Rkb5rDl4BTeBnyf4mlzpOqxkeMCR93dw15aTLNHyddWWurk7FlEmBJ/oG25isO0/i7a0BRJXWuORu0bv/aRWqfRdKq2ZIMTuL0I5hdocMogvI71AbXJOGeNimNUXU8/JWYeRxWsxNKXd4bYCQzNRa2qoHUSaXcWbxGIsqOzgGAkEiaoTr7qrULB5A2gCvBI+piMFuezwSg8/vFakWlMEXNkDPOkyc/UX6oUa5z2dAPtYl3AIQ6ZB7F7ZGbjhN50ZSddpX2khiK7+y7yExCJB8AeRoSDCZ7dCAxqndnQ+REXJVgzjNvkOXODjMVFWrErOq5xLfM6j3n5fxaQ15SyRbpkPVfIKhfnln3FgrUwGicLB7sC7/p5/EkpS+Z0MtMzeVCX+MGeJsAn4CFwef30IwbpMzLa3gzm39t/TY+4xKoJrhwym/7z4w0tvGPKOhQF7vfjMw52re0mxW8VXzgN4YXtIDJ6y7Y/HbsNAbZNqOfTEcmoXtYBkEE799z070h/Fl5Jx0Vv6JUJpOOrtt8/qt+5kRl4EX1b2+eH6anAm2lYp6lo+drqNDGjCJLfsc0nPetgx37VK7b/3b4nit+VnkVWxZxfa+p1w/oYNgFF/ABXcaOSrsNDjpvhhRN6mqlJScBOq8qaPc57C/p6/TG+G4hI+QXzqLqqrw6KtZn4EfD13hMEk/TNhQ2KRspA3WZ8bMoGSgcH2fMiaBI5bSkdCFpnyVaziBj1qmCUYwTPWYT+0Mxow==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA2PR00MB1002.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(66574015)(8936002)(186003)(52536014)(5660300002)(166002)(8990500004)(966005)(9686003)(33656002)(53546011)(71200400001)(6506007)(7696005)(55016003)(83380400001)(10290500003)(508600001)(82960400001)(82950400001)(38070700005)(86362001)(110136005)(316002)(2906002)(66476007)(122000001)(38100700002)(8676002)(66556008)(66446008)(76116006)(64756008)(66946007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Xuync819oNaM7BvaHJve3wLLU8sCV4aNBSuqlnN0MsKtffoWuQC+pgM3yos8kEPfWOW1o8jlwHgR1ueqD5CvOS1CAI9iuprvdE2ywzMwYZ3HrZDjX9IwtmjRybf0K/CEyTkSsArlmw8c3P5hRtXccdNw1Sqx/Dao4e9PCkhRonzc1oD1Z4hFou178dB9HoAcPKOt++BcaJw+zUV6ExMtuf0UuHrST9PP3TODLAKg9x3+6mXVTIwCe14+UVMXXN3n2SgUnD8/yGq1VGHy58GY/fkshGwBkzV0aCiCPn4xDDtbi57kgJWAoy0dADOaoawgfkvm88lHrR8LAqKcH4lhks37PeUo40zROEv/C8/wZIvyIqNZ64cncIzJHBuI9ul+lrHr1NP6iqtvGJoqsktbysWvQzp/L2ee4O2aHslPCVV7xm+Nu4UqCf2Lim1Y1LEi3J954EdGyW2DqH2p0xmyEggh2Hw0BgIwvb6welSLOhCV0NAMGExX/4IvcNiWQNIut78iUXKrxJRGiRyzrhsPsPAlcoYKtnTlQYYKtwM6iS9brvrQyL7Jk4ayBX/pMFLQTibaAEMqv8GS1JmYWqyH2tLU5vymzZYGmZfVqwAhC+6u7FqN4RX7PDbdKY/5OKsfoA6MuR0oTUeJ8m1yu/B4k8DZLP/xQlynWmt+g0Cuvb93l/dTsj4/s+vEEy6l0a9uW/FDpHng8JSMbLp+4iVBmh5w4CQj4Na18ZfIOINjIIHMhy4Fzn554LJWiCe1YDyqB4wGl94TQKrtzy02xrGhT/U20uH+xYO/KU57GFVcYF2LKvT1gY8Sw4Uu9qQyyDgX1jJ8ydjALSvVMugMJBBOjlMl0ipemis7EKFUczSr7nVqs7e0mZPUJvM2j4UCyPq3d0rzjkM6zyyjxrFoowlCm0c5T/d03WvRHQVZ4P4qyFldv/G7BOlIoQw/gqk46/raHYU2xp5IxRoYPgw0cLdn987+eBlohE6iBMaVdpGHCLZsdY0MzrRxFHHRRMONl1QggG4eE5tKsHV4m29iuo8/d6r4wWBu7/izCFlIj/v3nxCO1RwCv4/cxBlmAMqIAEwJ7gp55u/GSws/1WdU0Rmkbda98KJe96hi3BurG4AVzVNCNfLkMymsZIhq2cY3NTLwt0KrcH9nq0Uf0v3utuOx5E0VnWzks5xkgSVxIYVYcm1ydntfGaSozVI/2U/l4G89a89S4/x2+fec0AYwjQzsiUZn1j9s5JTWJYP9DuVUBHr2vLyRQgWxbl5IGlYNkVauWraT5Z13zj//5ThFOzuMzQWJ01qg/XgKar65eP9omGhpEENpVzjXHBFvvT0kedx1Bl+JsV/jmRm0JljCVKx4YhehjdM7I2x/cyqic78NdwUko+M03MsdfWsAkSR+4EsD8gV7qCh1RkN0gT3u7pGH4PBc7AwgwRHGVMjC0+KoO0oAGMOc5pVKQVq2nWO9R1euz5VyYCb85Of7hSKnc5C9cbWg4CQL7tgoq+UYiRfOHa1F7W76fCMLbdvtC4qIyqbzrBceWRlNMn4P4N2UoisMkIL5mzlaPjt5wzSJWHIZa2F7TtsaAJZ2Nmp8cAzZgMD35gSRkQ5cY6vRPfLlhTKOLkeUNVqLPOIyIptMUNXkvVb1Tm1O4rx7enkYBWp4ZohNIQNOSZGOosjFjTHeZxgFqg==
Content-Type: multipart/alternative; boundary="_000_SA2PR00MB1002A2789C1441D359B03BB1F5379SA2PR00MB1002namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA2PR00MB1002.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 70051c74-aeac-46b6-3e0e-08d9f30d7a1d
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Feb 2022 18:35:45.7047 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: oWKpCkfdZYNihat/B34SGqh162T5abyfUCuFNrTyDELw/kjQekW0rVWw/eMBYVODHQ7W8TzLsYs4F1Bt9l4xWA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR00MB1038
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/8JLXDNd_RmnpHInNRUJcUSkILBQ>
Subject: Re: [OAUTH-WG] WGLC for JWK Thumbprint URI document
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Feb 2022 18:35:57 -0000

See my review comments in the thread “[OAUTH-WG] Comments on draft-chadwick-oauth-jwk-uri-00”.

                                                       -- Mike

From: David Chadwick <d.w.chadwick@verifiablecredentials.info>
Sent: Friday, February 18, 2022 3:52 AM
To: Mike Jones <Michael.Jones@microsoft.com>; Kristina Yasuda <Kristina.Yasuda@microsoft.com>; oauth@ietf.org
Subject: Re: [OAUTH-WG] WGLC for JWK Thumbprint URI document

Hi Mike

The additional mechanism was published as an I-D last week.


draft-chadwick-oauth-jwk-uri-00.txt

I thought this list had been notified, but my-bad, I see it was not.  So I have just sent out the notification now.

So can we get some feedback from this group as well as the OIDC one, before progressing either?

Kind regards

David

On 17/02/2022 22:23, Mike Jones wrote:
Hi David,

Rifaat reminded me that yours is the only WGLC comment that has not been resolved by publication of -01.  As noted earlier, the substantive differences between this draft and the JWK URI draft that you’re proposing are being primarily discussed in the OpenID Connect working group, where the JWK Thumbprint URI mechanism is used.

In that discussion, you made this issue comment https://bitbucket.org/openid/connect/issues/1429/replace-jwk-thumbprint-uri-with-jwk-uri#comment-61838115:

“I agree that adding JWK URI should not exclude JWK Thumbprint URIs. Similarly JWK Thumbprint URIs should not exclude JWK URIs.”

That seems to me to indicate that you’re OK with this specification being published, while also wanting both working groups to consider your additional mechanism when a draft is submitted?  Am I hearing you correctly on that?

At least in my mind, the fact that you might publish another not-equivalent mechanism shouldn’t hold up publication of this mechanism.

                                                       Thanks again,
                                                       -- Mike

From: David Chadwick <d.w.chadwick@verifiablecredentials.info><mailto:d.w.chadwick@verifiablecredentials.info>
Sent: Monday, February 7, 2022 12:54 PM
To: Kristina Yasuda <Kristina.Yasuda@microsoft.com><mailto:Kristina.Yasuda@microsoft.com>; Mike Jones <Michael.Jones@microsoft.com><mailto:Michael.Jones@microsoft.com>; oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] WGLC for JWK Thumbprint URI document

On 07/02/2022 20:42, Kristina Yasuda wrote:
Hi David,

I think your comments below apply to the choices made in another specification (SIOP v2 in OIDF), rather than this IETF draft we are discussing.

Hi Kristina

Yes and no.

No, in that the registration of either of the I-Ds as an RFC is a matter for this list, and should answer this question, "what is the best way (or ways) of creating a URI from a public key."

Yes, in that the SIOPv2 specification requires at least one way of specifying a public key as a URI and therefore needs some other standard or standards to refer to.
I’ve seen you opened an issue in the OpenID Connect WG Bitbucket. Let’s discuss there whether SIOP v2 should use JWK Thumbprint URI.

Yes we can certainly discuss the latter issue in OIDF

Kind regards

David

Best,
Kristina

From: OAuth <oauth-bounces@ietf.org><mailto:oauth-bounces@ietf.org> On Behalf Of David Chadwick
Sent: Sunday, February 6, 2022 2:40 AM
To: Mike Jones <Michael.Jones@microsoft.com><mailto:Michael.Jones@microsoft.com>; oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] WGLC for JWK Thumbprint URI document

On 05/02/2022 17:46, Mike Jones wrote:
David, I believe your objections below are actually about the JWK Thumbprint [RFC 7638<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.rfc-editor.org%2Frfc%2Frfc7638.html&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7Ca3ed141a4e8d44a502ac08d9e95d13c2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637797408920851038%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=YsMfndDhygG7AkSPK9NeYrKhDwFkd5P%2FSAgZsrXH%2F6Q%3D&reserved=0>] computation used by this specification, and not the operation defined by this specification.  JWK Thumbprint became an RFC in 2015.

Hi Mike

no, my objection is to the JWK Thumbprint URI document. I accept that the JWK Thumbprint RFC already exists.

The aim of the SIOPv2 group is to transfer a public key as a URI, so it leverages the JWK Thumbprint RFC to do this. As I point out in my I-D, SIOPv2 transfers the public key and the public key thumbprint. My I-D suggests that we simply transfer the public key as a URI then no thumbprint computation is necessary by the SIOPv2. The recipient can compute its own thumbprint if it needs to by utilising the JWK Thumprint RFC and in this case no hashing algorithm needs to be jointly agreed upon.

Kind regards

David

This specification<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-ietf-oauth-jwk-thumbprint-uri-00.html&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7Ca3ed141a4e8d44a502ac08d9e95d13c2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637797408920851038%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=8Vt%2BwrhXuAC3CjvGzaQtmYv4%2BIV3ElozbVGED4FLUvQ%3D&reserved=0> defines how to create a JWK Thumbprint URI by concatenating the URI prefix “urn:ietf:params:oauth:jwk-thumbprint” to an RFC 7638 JWK Thumbprint.  That’s all it does.  That’s why Rifaat’s statement “The JWK Thumbprint URI document is a simple and straightforward specification” is indeed correct.

                                                       Best wishes,
                                                       -- Mike

From: OAuth <oauth-bounces@ietf.org><mailto:oauth-bounces@ietf.org> On Behalf Of David Chadwick
Sent: Friday, February 4, 2022 9:55 AM
To: oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] WGLC for JWK Thumbprint URI document

On 02/02/2022 12:18, Rifaat Shekh-Yusef wrote:
All,

The JWK Thumbprint URI document is a simple and straightforward specification.

Actually this is a complex and inefficient specification compared to other possibilities.

I have written an Internet-Draft outlining an alternative scheme, the JWK URI, which provides OIDC SIOPv2 with all the requirements that it needs with much less effort than implementing JWK Thumbprint URIs. I am currently formatting this I-D correctly to submit to the IETF. The rationale for this new Internet Draft is as follows.

To produce or validate a JWK Thumbprint, both the sender and the receiver have to have the JWK available to them. Then they have to canonicalise the JWK as described in [RFC7638], and finally hash the octets of the UTF-8 representation of this JSON object with a pre-agreed algorithm in order to both obtain the same hash value. The way that the JWK Thumbprint URI is used in SIOPv2 [SIOPv2] is as follows:

  1.  the SIOP creates an asymmetric key pair and encodes the public key as a JWK
  2.  the SIOP creates the JWK Thumbprint as described in [RFC7638] and converts it to a URI as described in [JONES],
  3.  the SIOP passes both the JWK and JWK Thumbprint URI to the RP in the JWT,
  4.  the RP extracts the JWK and JWK Thumbprint from the JWT
  5.  the RP re-computes the JWK Thumbprint from the JWK
  6.  the RP compares the computed JWK Thumbprint with the received JWK Thumbprint to confirm that they are equal.

One can see that the use of JWK Thumbprint URIs is both inefficient (in all cases) and a significant disadvantage (in some cases). If the JWK URI is transferred instead of the JWK and JWK Thumbprint URI then:

a) The SIOP will never need to create the JWK Thumbprint URI. The RP may only need to create the JWK Thumbprint if it needs this, for example, as a unique subject identifier. Even in this case, there is still an advantage to the RP in receiving the JWK URI instead of the JWK Thumprint URI, in that the RP no longer needs to pre-agree a hashing algorithm with the SIOP. Thus the RP can independently determine which hashing algorithm to use when creating its own JWK Thumbprint. (Note. If the SIOP were able to canonicalise the same public key in a JWK in different ways and produce different thumbprints from the same public key, then the canonicalisation algorithm is broken, and the RP would never to able to deterministically produce the same thumbprints each time.)

b) In those cases where the SIOP uses ephemeral key pairs and a different public key each time it communicates with an RP, then neither party needs to produce the JWK Thumbprint as it will never be seen again. It is a significant disadvantage to have to use JWK Thumbprints in this case.

I therefore kindly request that the JWK Thumbprint URI document does not progress until the WG has had chance to compare and contrast the two methods.

Kind regards

David



This is a WG Last Call for this document:
https://www.ietf.org/archive/id/draft-ietf-oauth-jwk-thumbprint-uri-00.html<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-ietf-oauth-jwk-thumbprint-uri-00.html&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7Ca3ed141a4e8d44a502ac08d9e95d13c2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637797408920851038%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=8Vt%2BwrhXuAC3CjvGzaQtmYv4%2BIV3ElozbVGED4FLUvQ%3D&reserved=0>

Please, provide your feedback on the mailing list by Feb 16th.

Regards,
 Rifaat & Hannes








_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7Ca3ed141a4e8d44a502ac08d9e95d13c2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637797408920851038%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=L5UFnqyzv16VgMrickO8sVxQ77Om8PDtgM%2BMFjQbfhU%3D&reserved=0>

v2.23.0 | Report a Bug | By Email