Re: [OAUTH-WG] [UNVERIFIED SENDER] RE: Cryptographic hygiene and the limits of jwks_uri

Vladimir Dzhuvinov <vladimir@connect2id.com> Wed, 15 January 2020 20:53 UTC

Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0311112088C for <oauth@ietfa.amsl.com>; Wed, 15 Jan 2020 12:53:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8cSZAg6VkQTm for <oauth@ietfa.amsl.com>; Wed, 15 Jan 2020 12:53:03 -0800 (PST)
Received: from p3plsmtpa07-08.prod.phx3.secureserver.net (p3plsmtpa07-08.prod.phx3.secureserver.net [173.201.192.237]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EA6B120288 for <oauth@ietf.org>; Wed, 15 Jan 2020 12:53:03 -0800 (PST)
Received: from [192.168.88.250] ([94.155.17.54]) by :SMTPAUTH: with ESMTPSA id rpeui5tHgQTQBrpevi1oz5; Wed, 15 Jan 2020 13:53:02 -0700
To: oauth@ietf.org
References: <CAD9ie-vRsL9ey2LDNoaWkapRUewS_c1S0r3QCcqJLmJ5KqKsGw@mail.gmail.com> <5F7A3816-AC9B-4BA2-9D91-CF89109B6788@forgerock.com> <CAD9ie-uebUCw5vxELPXQvQSY3Z3T2dNJGOpzEQ8cMgZcCOu+tg@mail.gmail.com> <79DF80DA-6682-4F25-A02A-B4137053FD8A@mit.edu>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Organization: Connect2id Ltd.
Message-ID: <6fab97c9-e9bb-58f8-ba14-22307e35bfcf@connect2id.com>
Date: Wed, 15 Jan 2020 22:53:00 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
MIME-Version: 1.0
In-Reply-To: <79DF80DA-6682-4F25-A02A-B4137053FD8A@mit.edu>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms050508000100030506040607"
X-CMAE-Envelope: MS4wfIsqhl7DlMgnAFUEkwcIdt4/yO+G+FeMxxmWEkM3+peoGPMe4G2zqsvsNAa1C1IIJC6HSpMcEjX36KOBO4XbvGTANcNwV474cX9oz4E+vf7mzSy4Txi2 p2ojx/KXWVZELc0afXcN7BNT4WI5cQX/uPRy23um7PueSTzSAwENQZKY
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/hVhCWqq7OY9lSCneGD3uJRS_7H4>
Subject: Re: [OAUTH-WG] [UNVERIFIED SENDER] RE: Cryptographic hygiene and the limits of jwks_uri
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jan 2020 20:53:05 -0000

On 14/01/2020 04:25, Justin Richer wrote:
> It would’ve been nice if JWK could’ve agreed on a URL-based addressing
> format for individual keys within the set, but that ship’s sailed.

For querying / selecting JWKs from a set this would have been a useful
addition to the spec.

But I don't see how such an URL can help us to identify a single JWK in
a set, given the possibility to have multiple JWKs with the same "kid".

I.e. if we do "https://example.com/jwks.json?kid=xyz", there is no
guarantee for a single key. Even if we add additional query params, like
use, alg, etc, none of them guarantees a unique JWK identification.

I like the utility of that though.

Vladimir