Re: [OAUTH-WG] draft-ietf-oauth-pop-key-distribution-01 and Open Issues

Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 05 March 2015 12:43 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 209DD1A871A for <oauth@ietfa.amsl.com>; Thu, 5 Mar 2015 04:43:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.459
X-Spam-Level:
X-Spam-Status: No, score=-0.459 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_RP_RNBL=1.31, RCVD_IN_SBL=0.141, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ftyeapOUUU9O for <oauth@ietfa.amsl.com>; Thu, 5 Mar 2015 04:43:30 -0800 (PST)
Received: from mout-xforward.gmx.net (mout-xforward.gmx.net [82.165.159.42]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACDE61A0204 for <oauth@ietf.org>; Thu, 5 Mar 2015 04:43:29 -0800 (PST)
Received: from [192.168.131.142] ([80.92.121.102]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0LeNGL-1XgSFU3gXl-00q8ii; Thu, 05 Mar 2015 13:43:26 +0100
Message-ID: <54F84F69.2090408@gmx.net>
Date: Thu, 05 Mar 2015 13:43:21 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: John Bradley <ve7jtb@ve7jtb.com>
References: <54F81ADA.3000203@gmx.net> <0B09DB9C-CB26-448D-AE4B-F50E37C2560A@ve7jtb.com> <54F83F32.3040305@gmx.net> <FE8540FB-5CF6-4B1F-9C07-21638865AB17@ve7jtb.com>
In-Reply-To: <FE8540FB-5CF6-4B1F-9C07-21638865AB17@ve7jtb.com>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="5fhOHcRrwnBmIOvEljOs7Gm5U8e8F3kvO"
X-Provags-ID: V03:K0:85I5OcbEPtBQ2jimNytFKYKIe5Uh+vcqnYRgReFs4tEXlOF2PGG hXKCRNmPbsuaTn6fX2sxwLuG2NWkApP44/RyH1eT35DQN/lzdPydu0NhaXyn959vQ9S0+q/ ONo1vrFt/YfVjQgOEIQihH4CW4znatE2SP5uFy14fFMHy6bkfmCrFwvCmkySPHNu0P5qN8q KHbEJvzPiaRBuUEtYfCNg==
X-UI-Out-Filterresults: junk:10;
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/AyMfpWCMrgeg1XhVOvWN6HxKRl4>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-pop-key-distribution-01 and Open Issues
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2015 12:43:31 -0000

Hi John,

that's a good idea. However, the dynamic client registration should
state that the "kid" parameter is used and must be included in the JWK
(since the kid is an optional parameter).

The key name is then the 'kid' plus the client id since the value of the
kid is not unique by itself.

Ciao
Hannes

On 03/05/2015 12:54 PM, John Bradley wrote:
> For signing authentication requests you include the keyid in the JWT, and the AS looks in the JWKS to find the correct key if there is more than one.
> 
> I don't think that is a problem
> 
> What we probably need to do is pass a keyid in the request if there is more than one signing key registered for the client.
> 
> John B.