Re: [OAUTH-WG] draft-ietf-oauth-pop-key-distribution-01 and Open Issues
Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 05 March 2015 13:04 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 778AA1A01BA for <oauth@ietfa.amsl.com>; Thu, 5 Mar 2015 05:04:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.769
X-Spam-Level:
X-Spam-Status: No, score=-1.769 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_SBL=0.141, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y-DKj-guSlMp for <oauth@ietfa.amsl.com>; Thu, 5 Mar 2015 05:04:31 -0800 (PST)
Received: from mout-xforward.gmx.net (mout-xforward.gmx.net [82.165.159.40]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8136F1A01A9 for <oauth@ietf.org>; Thu, 5 Mar 2015 05:04:31 -0800 (PST)
Received: from [192.168.131.142] ([80.92.121.102]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0LqE5k-1Xq1td1jiy-00dnWZ; Thu, 05 Mar 2015 14:04:29 +0100
Message-ID: <54F8545B.4010602@gmx.net>
Date: Thu, 05 Mar 2015 14:04:27 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: John Bradley <ve7jtb@ve7jtb.com>
References: <54F81ADA.3000203@gmx.net> <0B09DB9C-CB26-448D-AE4B-F50E37C2560A@ve7jtb.com> <54F83F32.3040305@gmx.net> <FE8540FB-5CF6-4B1F-9C07-21638865AB17@ve7jtb.com> <54F84F69.2090408@gmx.net>
In-Reply-To: <54F84F69.2090408@gmx.net>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="PLUW15DTSWMSuwXwMNvm36bHfgHODLUBd"
X-Provags-ID: V03:K0:kI2xXLkugIU+gxVyQ3Bq20kkmDlSkRsVaTTpmdMOZzivNqEKBf4 SuDAf3+klDAezl1I0ROdt2zEXF9h2HWyqXdWUUME4kR/aew9ZCp6fzvEcs9mR+RoE/JcNNz qZexntxu291iv70XslcuL4HYltpYNzgaJJ+81haajjcsyH8zodzkTcY5WF/hprsEqDDouFe y6vdM6PK2H1QatO8AnKqg==
X-UI-Out-Filterresults: junk:10;
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/SaWoMwfOPA68VpAbSC9cfw6ba7Y>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-pop-key-distribution-01 and Open Issues
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2015 13:04:37 -0000
Actually, I am not sure my statement below is actually correct. We need to distinguish the case where the client id is unique per client software instance and when it isn't. If the client id is shared by multiple client software instances then how do we make sure that clients aren't uploading keys that either have no kid or have an kid that is not unique (since they don't know about the existence of other client instances or that other client instances have already uploaded a jwk with the same kid). Any idea how to address that problem? Ciao Hannes On 03/05/2015 01:43 PM, Hannes Tschofenig wrote: > Hi John, > > that's a good idea. However, the dynamic client registration should > state that the "kid" parameter is used and must be included in the JWK > (since the kid is an optional parameter). > > The key name is then the 'kid' plus the client id since the value of the > kid is not unique by itself. > > Ciao > Hannes > > On 03/05/2015 12:54 PM, John Bradley wrote: >> For signing authentication requests you include the keyid in the JWT, and the AS looks in the JWKS to find the correct key if there is more than one. >> >> I don't think that is a problem >> >> What we probably need to do is pass a keyid in the request if there is more than one signing key registered for the client. >> >> John B. >
- [OAUTH-WG] draft-ietf-oauth-pop-key-distribution-… Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-pop-key-distribut… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-pop-key-distribut… Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-pop-key-distribut… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-pop-key-distribut… Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-pop-key-distribut… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-pop-key-distribut… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-pop-key-distribut… Justin Richer
- Re: [OAUTH-WG] draft-ietf-oauth-pop-key-distribut… Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-pop-key-distribut… Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-pop-key-distribut… Hannes Tschofenig