IETF Logo Mail Archive

Re: [OAUTH-WG] JWK Thumbprint URI Specification

David Chadwick <D.W.Chadwick@kent.ac.uk> Wed, 24 November 2021 20:36 UTC

Return-Path: <D.W.Chadwick@kent.ac.uk>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0909C3A0BF9 for <oauth@ietfa.amsl.com>; Wed, 24 Nov 2021 12:36:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.648
X-Spam-Level:
X-Spam-Status: No, score=-3.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, NICE_REPLY_A=-1.852, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vDnV-KuZnZ_t for <oauth@ietfa.amsl.com>; Wed, 24 Nov 2021 12:36:03 -0800 (PST)
Received: from mx4.kent.ac.uk (mx4.kent.ac.uk [129.12.21.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0AD73A0BF6 for <oauth@ietf.org>; Wed, 24 Nov 2021 12:36:02 -0800 (PST)
Received: from mx6.kent.ac.uk ([129.12.21.37]) by mx4.kent.ac.uk with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <D.W.Chadwick@kent.ac.uk>) id 1mpyzn-000XSN-Nv for oauth@ietf.org; Wed, 24 Nov 2021 20:36:00 +0000
Received: from [212.170.250.122] (helo=[192.168.0.100]) by mx6.kent.ac.uk with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <D.W.Chadwick@kent.ac.uk>) id 1mpyzn-000Ngc-Ao for oauth@ietf.org; Wed, 24 Nov 2021 20:36:00 +0000
Message-ID: <b260fb55-53ef-83fa-b0bf-1e3c2d1b2f53@kent.ac.uk>
Date: Wed, 24 Nov 2021 20:35:57 +0000
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.3.1
From: David Chadwick <D.W.Chadwick@kent.ac.uk>
To: oauth@ietf.org
References: <CO1PR00MB0996200ADAD5AF33242C062DF5619@CO1PR00MB0996.namprd00.prod.outlook.com>
Content-Language: en-GB
Organization: University of Kent
In-Reply-To: <CO1PR00MB0996200ADAD5AF33242C062DF5619@CO1PR00MB0996.namprd00.prod.outlook.com>
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Kent-Spam-Score: -4.3
X-Kent-Spam-Bar: ----
X-Kent-Spam-Report: No, tests=ALL_TRUSTED=-1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, NICE_REPLY_A=-3.449
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/v-aYNka7Ex5Vhox6GhBnFOTsD78>
Subject: Re: [OAUTH-WG] JWK Thumbprint URI Specification
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Nov 2021 20:36:08 -0000

On 24/11/2021 20:07, Mike Jones wrote:

The JSON Web Key (JWK) Thumbprint specification [https://www.rfc-editor.org/rfc/rfc7638.html" rel="nofollow">RFC 7638] defines a method for computing a hash value over a JSON Web Key (JWK) [https://www.rfc-editor.org/rfc/rfc7517.html" rel="nofollow">RFC 7517] and encoding that hash in a URL-safe manner. https://twitter.com/kristinayasuda" rel="nofollow">Kristina Yasuda and I have just created the https://www.ietf.org/archive/id/draft-jones-oauth-jwk-thumbprint-uri-00.html" rel="nofollow">JWK Thumbprint URI specification, which defines how to represent JWK Thumbprints as URIs. This enables JWK Thumbprints to be communicated in contexts requiring URIs, including in specific JSON Web Token (JWT) [https://www.rfc-editor.org/rfc/rfc7519.html" rel="nofollow">RFC 7519] claims.

 

My immediate observation is why are you sending the thumbprint of the JSON Web Key and not sending the actual key value in the URI?

Sending the thumbprint means the recipient still has to have some other way of obtaining the actual public key, whereas sending the public key as a URI means that no other way is needed.

Kind regards

David


Use cases for this specification were developed in the https://openid.net/wg/connect/" rel="nofollow">OpenID Connect Working Group of the OpenID Foundation. Specifically, its use is planned in future versions of the https://openid.net/specs/openid-connect-self-issued-v2-1_0.html" rel="nofollow">Self-Issued OpenID Provider v2 specification.

 

The specification is available at:

·    https://www.ietf.org/archive/id/draft-jones-oauth-jwk-thumbprint-uri-00.html" rel="nofollow">https://www.ietf.org/archive/id/draft-jones-oauth-jwk-thumbprint-uri-00.html

 

                                                       -- Mike

 

P.S.  This note was also published at https://self-issued.info/?p=2211" class="moz-txt-link-freetext" rel="nofollow"> https://self-issued.info/?p=2211 and as https://twitter.com/selfissued/" rel="nofollow"> @selfissued.

 


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth" rel="nofollow">https://www.ietf.org/mailman/listinfo/oauth


v2.23.0 | Report a Bug | By Email