Re: [OAUTH-WG] [UNVERIFIED SENDER] RE: Cryptographic hygiene and the limits of jwks_uri

Vladimir Dzhuvinov <> Wed, 15 January 2020 20:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0311112088C for <>; Wed, 15 Jan 2020 12:53:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8cSZAg6VkQTm for <>; Wed, 15 Jan 2020 12:53:03 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3EA6B120288 for <>; Wed, 15 Jan 2020 12:53:03 -0800 (PST)
Received: from [] ([]) by :SMTPAUTH: with ESMTPSA id rpeui5tHgQTQBrpevi1oz5; Wed, 15 Jan 2020 13:53:02 -0700
References: <> <> <> <>
From: Vladimir Dzhuvinov <>
Organization: Connect2id Ltd.
Message-ID: <>
Date: Wed, 15 Jan 2020 22:53:00 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms050508000100030506040607"
X-CMAE-Envelope: MS4wfIsqhl7DlMgnAFUEkwcIdt4/yO+G+FeMxxmWEkM3+peoGPMe4G2zqsvsNAa1C1IIJC6HSpMcEjX36KOBO4XbvGTANcNwV474cX9oz4E+vf7mzSy4Txi2 p2ojx/KXWVZELc0afXcN7BNT4WI5cQX/uPRy23um7PueSTzSAwENQZKY
Archived-At: <>
Subject: Re: [OAUTH-WG] [UNVERIFIED SENDER] RE: Cryptographic hygiene and the limits of jwks_uri
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 15 Jan 2020 20:53:05 -0000

On 14/01/2020 04:25, Justin Richer wrote:
> It would’ve been nice if JWK could’ve agreed on a URL-based addressing
> format for individual keys within the set, but that ship’s sailed.

For querying / selecting JWKs from a set this would have been a useful
addition to the spec.

But I don't see how such an URL can help us to identify a single JWK in
a set, given the possibility to have multiple JWKs with the same "kid".

I.e. if we do "", there is no
guarantee for a single key. Even if we add additional query params, like
use, alg, etc, none of them guarantees a unique JWK identification.

I like the utility of that though.