[OAUTH-WG] HTTPS JWKS style key rotation for SAML/XML-DSig

Brian Campbell <bcampbell@pingidentity.com> Fri, 26 June 2015 15:43 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 413021A8837 for <oauth@ietfa.amsl.com>; Fri, 26 Jun 2015 08:43:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.079
X-Spam-Status: No, score=-0.079 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id ztfEqbQDTsf6 for <oauth@ietfa.amsl.com>; Fri, 26 Jun 2015 08:43:57 -0700 (PDT)
Received: from mail-ig0-f170.google.com (mail-ig0-f170.google.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED1B71A8826 for <oauth@ietf.org>; Fri, 26 Jun 2015 08:43:56 -0700 (PDT)
Received: by igtg8 with SMTP id g8so4163529igt.0 for <oauth@ietf.org>; Fri, 26 Jun 2015 08:43:56 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=dqks4xh0yjtIYTLQdpsb6RyB+r/5TLnfd+3DbgD+kTk=; b=YJCVrc2ikFRdnfjsHmecbsngUCXr0ygB6tP/3QEaBjLXIoprqwjw8CJwxVz3RL6ZBM UM9orYxwiruyFCGcDsRB2CaOyCusR1a130I6R9m38QjC3u2maadClU1eqj6DcC6WOmSf woi3Kky2MaD4cJIACH0bDL/muu+D/fJ6+B67Cc2idX48BaQSOcUPM69hG1wkUdpcVXit oMDYUhA2y9e9e9mrnk1KakFDAXY8v7V1FXll3iqHhB8HLVmnqPW65lgatTZWWCTqgmxe bXynZ7TgCKOpmC4ElHpyLlmohe1zyITv8p0lwQNJczXiv7XPpf99Aq1VogWoVj9VAj1C j0Cg==
X-Gm-Message-State: ALoCoQn198Mp4fzqaupnwFPB+PGF/xGMwHDRDiL1BbLIoBcFdPTQ1UcZ7qQSckBdLrJpAQRvWM66
X-Received: by with SMTP id qk3mr4158425icb.15.1435333436253; Fri, 26 Jun 2015 08:43:56 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 26 Jun 2015 08:43:26 -0700 (PDT)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 26 Jun 2015 09:43:26 -0600
Message-ID: <CA+k3eCSfX1_DO+bwNx1RdPPpfkFPr1JJNXb3m8P9Xt_6x111EQ@mail.gmail.com>
To: "<openid-specs-ab@lists.openid.net>" <openid-specs-ab@lists.openid.net>, oauth <oauth@ietf.org>, "jose@ietf.org" <jose@ietf.org>
Content-Type: multipart/alternative; boundary=bcaec517cddc9a46cc05196d9b60
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/OOdST63qS8mS2mOcezJPEzJItno>
Subject: [OAUTH-WG] HTTPS JWKS style key rotation for SAML/XML-DSig
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jun 2015 15:43:58 -0000

This document <https://goo.gl/6uWxT7>[0] was something done during the
course of some work a few months ago - it briefly proposes how a JWK Key ID
can be used within an XML Signature to convey to the recipient what key was
used to sign the XML and thusly what key to use to verify the signature. It's
not rocket surgery but maybe a useful thing to codify, which might help
with migration and coexistence of older and newer protocols.

Anyway, no action required or even suggested here. I just wanted to put the
idea out there and the mailing lists of a few of these (sorta) related WGs
seemed as good a place as any.

[0] https://goo.gl/6uWxT7