The thumbprint includes the algorithm but not the usage restrictions. A practical certificate would certainly include "trusted for ..." constraints. Simply not having to store the kid since a substitute can be computed from the actual key material is advantage enough for me.
On Mon, Apr 14, 2014 at 4:38 PM, Jim Schaad <[email protected]> wrote: > I would have problems with that if it did not come with additional > restrictions on the key that I might want to additionally state -such as > restricting the key to be used with specific algorithms or key usages. > > >> -----Original Message----- >> From: Daniel Holth [mailto:[email protected]] >> Sent: Monday, April 14, 2014 1:39 PM >> To: Jim Schaad >> Cc: Mike Jones; jose >> Subject: Re: [jose] JSON Web Key (JWK) Thumbprint Specification >> >> For me the finger/thumbprint is something you could sign as part of an "I >> trust >> this key" assertion since it is a property of a specific key rather than an >> arbitrary association. >> >> On Mon, Apr 14, 2014 at 4:06 PM, Jim Schaad <[email protected]> wrote: >> > What are the practical benefits for this over using the kid parameter? >> > >> > >> > >> > Jim >> > >> > >> > >> > >> > >> > From: jose [mailto:[email protected]] On Behalf Of Mike Jones >> > Sent: Thursday, April 10, 2014 5:50 PM >> > To: [email protected] >> > Subject: [jose] JSON Web Key (JWK) Thumbprint Specification >> > >> > >> > >> > I created a new simple spec that defines a way to create a thumbprint >> > of an arbitrary key, based upon its JWK representation. The abstract >> > of the spec >> > is: >> > >> > >> > >> > This specification defines a means of computing a thumbprint value (a.k.a. >> > digest) of JSON Web Key (JWK) objects analogous to the x5t (X.509 >> > Certificate SHA-1 Thumbprint) value defined for X.509 certificate objects. >> > This specification also registers the new JSON Web Signature (JWS) and >> > JSON Web Encryption (JWE) Header Parameters and the new JSON Web Key >> > (JWK) member name jkt (JWK SHA-256 Thumbprint) for holding these values. >> > >> > >> > >> > The desire for this came up in an OpenID Connect context, but it s of >> > general applicability, so I decided to submit the spec to the JOSE >> > working group. Thanks to James Manger, John Bradley, and Nat Sakimura >> > for the discussions that led up to this spec. >> > >> > >> > >> > The specification is available at: >> > >> > http://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-00 >> > >> > >> > >> > An HTML formatted version is also available at: >> > >> > >> > https://self-issued.info/docs/draft-jones-jose-jwk-thumbprint-00.html >> > >> > >> > >> > -- Mike >> > >> > >> > >> > P.S. I also posted this notice at http://self-issued.info/?p=1213 and >> > as @selfissued. >> > >> > >> > >> > >> > _______________________________________________ >> > jose mailing list >> > [email protected] >> > https://www.ietf.org/mailman/listinfo/jose >> > > _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
