And to me all this sounds like is that there should be a document which says - this is one way to compute a kid value and then let the application say that this will be the way to do it. Much like how SPKIs are done for X.509 certificates today.
Jim From: John Bradley [mailto:[email protected]] Sent: Monday, April 14, 2014 2:02 PM To: Jim Schaad Cc: Michael Jones; [email protected] Subject: Re: [jose] JSON Web Key (JWK) Thumbprint Specification kid is just a name for a key. The thumbprint is a way to refer to a key in a signed message without having to send the entire key. This is useful in OpenID Connect for calculating a synthetic subject based on the public key of a self signed JWT. It is also useful in proof of possession scenarios where it may be sufficient to include a hash of the public key needed for the proof in the assertion rather than the whole key each time. The problem with kid is that in the PoP case you would need a out of band way to transfer the key sot of defeating the benefit of stateless tokens. So it is a sort of kid but one that is unique to a given key in a collision resistant way. John B. On Apr 14, 2014, at 5:06 PM, Jim Schaad <[email protected]> wrote: What are the practical benefits for this over using the kid parameter? Jim From: jose [mailto:[email protected]] On Behalf Of Mike Jones Sent: Thursday, April 10, 2014 5:50 PM To: [email protected] Subject: [jose] JSON Web Key (JWK) Thumbprint Specification I created a new simple spec that defines a way to create a thumbprint of an arbitrary key, based upon its JWK representation. The abstract of the spec is: This specification defines a means of computing a thumbprint value (a.k.a. digest) of JSON Web Key (JWK) objects analogous to the x5t (X.509 Certificate SHA-1 Thumbprint) value defined for X.509 certificate objects. This specification also registers the new JSON Web Signature (JWS) and JSON Web Encryption (JWE) Header Parameters and the new JSON Web Key (JWK) member name jkt(JWK SHA-256 Thumbprint) for holding these values. The desire for this came up in an OpenID Connect context, but it's of general applicability, so I decided to submit the spec to the JOSE working group. Thanks to James Manger, John Bradley, and Nat Sakimura for the discussions that led up to this spec. The specification is available at: . <http://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-00> http://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-00 An HTML formatted version is also available at: . <https://self-issued.info/docs/draft-jones-jose-jwk-thumbprint-00.html> https://self-issued.info/docs/draft-jones-jose-jwk-thumbprint-00.html -- Mike P.S. I also posted this notice at <http://self-issued.info/?p=1213> http://self-issued.info/?p=1213 and as @selfissued. _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
