Re: [OAUTH-WG] draft-ietf-oauth-pop-key-distribution-01 and Open Issues

John Bradley <ve7jtb@ve7jtb.com> Thu, 05 March 2015 12:58 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE6D51A0318 for <oauth@ietfa.amsl.com>; Thu, 5 Mar 2015 04:58:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XjKMYFEYQkjN for <oauth@ietfa.amsl.com>; Thu, 5 Mar 2015 04:58:29 -0800 (PST)
Received: from mail-we0-f170.google.com (mail-we0-f170.google.com [74.125.82.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49CED1A01A9 for <oauth@ietf.org>; Thu, 5 Mar 2015 04:58:29 -0800 (PST)
Received: by wevk48 with SMTP id k48so6155305wev.5 for <oauth@ietf.org>; Thu, 05 Mar 2015 04:58:28 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=UBCoMA4NEc13aMzK+QU1EHVG5js1ivzVJZdmvy4x0a4=; b=J9RZD105CRCpG+dqN9Mw+WcExOvshbeyeyFVBoocWiTKufQVvqmB/6tc9U77rKbP/V 2jthnLHVZbnm3LG8Ra4DnKAhYUvz6YjadgxwdxKvaYh3FcBS4B35TCF2iQvQTpsVtt7x ECdYBB/F502+DUocdRtJaxiTm7vRgxivGTdnARCi1/Dn2aRzd5Jy7H4qgqjXdJzHmA3B IGdEIVyyuYZj6vnWAvzxUQEpaGWf+ce8Mw836ptBg4pKN300g+IGcd85JLF+iroZHvSg +S4N8DHwXdAUXTupmSSscItDCsMhLvTxDhYEU7+81aB3FrN4BvJpwONn8eCyBigLl0+E 7HaQ==
X-Gm-Message-State: ALoCoQlUzgEsjWENXklwRCi7Yh1MlHfB9H0HqzuNghLWiuSuN0wUH52+3HuX6+7TAe7PT04xzzpp
X-Received: by 10.194.108.9 with SMTP id hg9mr18832772wjb.68.1425560307999; Thu, 05 Mar 2015 04:58:27 -0800 (PST)
Received: from [192.168.43.33] ([95.131.169.235]) by mx.google.com with ESMTPSA id bf8sm8778090wjb.37.2015.03.05.04.58.26 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 05 Mar 2015 04:58:27 -0800 (PST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (1.0)
From: John Bradley <ve7jtb@ve7jtb.com>
X-Mailer: iPhone Mail (12B466)
In-Reply-To: <54F84F69.2090408@gmx.net>
Date: Thu, 5 Mar 2015 13:58:23 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <A49503FE-3634-4859-9180-B7589259515D@ve7jtb.com>
References: <54F81ADA.3000203@gmx.net> <0B09DB9C-CB26-448D-AE4B-F50E37C2560A@ve7jtb.com> <54F83F32.3040305@gmx.net> <FE8540FB-5CF6-4B1F-9C07-21638865AB17@ve7jtb.com> <54F84F69.2090408@gmx.net>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/CGo2muhnT9Gy8Q8tMGVYY9w53Fk>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-pop-key-distribution-01 and Open Issues
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2015 12:58:31 -0000

I am ok with saying that the JWK must have keyed if there is more than one key and it SHOULD if there is only one. 

Sent from my iPhone

> On Mar 5, 2015, at 1:43 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
> 
> Hi John,
> 
> that's a good idea. However, the dynamic client registration should
> state that the "kid" parameter is used and must be included in the JWK
> (since the kid is an optional parameter).
> 
> The key name is then the 'kid' plus the client id since the value of the
> kid is not unique by itself.
> 
> Ciao
> Hannes
> 
>> On 03/05/2015 12:54 PM, John Bradley wrote:
>> For signing authentication requests you include the keyid in the JWT, and the AS looks in the JWKS to find the correct key if there is more than one.
>> 
>> I don't think that is a problem
>> 
>> What we probably need to do is pass a keyid in the request if there is more than one signing key registered for the client.
>> 
>> John B.
>