Re: [jose] Usage of kid vs. x5t

Wed, 08 Apr 2015 09:55:30 -0700 

X5t is targeted to having an identifier of an X.509 certificate.  Kids can be 
whatever the application decides it should be.   Sequential numbers, hashes of 
keys, randomly generated numbers, text strings to are meaningful to the user, 
file names, MS Crypto Library key identification information.  

 

Jim

 

 

From: jose [mailto:[email protected]] On Behalf Of Adam Lewis
Sent: Wednesday, April 08, 2015 8:51 AM
To: John Bradley
Cc: [email protected]
Subject: Re: [jose] Usage of kid vs. x5t

 

Hi John

 

So as I interpret your response, the trade-off is that kid is more flexible as 
it may be used for key types other than RSA (e.g. symmetric keys) whereas x5t 
is more efficient if the implementation will be limited to RSA keys.  Fair 
summary?

 

 

adam

 

On Mon, Apr 6, 2015 at 10:35 AM, John Bradley <[email protected]> wrote:

kid is a generic name that can be looked up in local keys stores for any sort 
of key and value is determined by the signer as part of key exchange.
x5t indicates that it is a thumbprint that can be calculated based on the 
public key and doesn't need to be communicated separately.

Some keystors have specific API to find RSA public keys based on the x5t value.

They both assume that the recipient have the key in some sort of local keystore 
or some other way to go and retrieve the key remotely by getting a JWKS.

One way to look at it is that x5t and x5t#S256 are specific ways to create a 
collision resistant kid.   Knowing the alg used lets you do some extra things 
to optimize looking it up.

John B.

> On Apr 6, 2015, at 7:44 AM, Adam Lewis <[email protected]> 
> wrote:
>
> Hi,
>
> The difference of when to use kid vs. x5t to identify the JWT signing key is 
> not obvious to me.  On the surface they seem to do the same thing, (e.g. 
> identify to the party validating the signature which key to use to validate 
> it, allow the public key to be retrieved from an endpoint of the party 
> doesn't already have it).
>
> But JWS defines both, so I'm guessing that there is a subtle difference that 
> I am missing here?
>
>
>
> adam

> _______________________________________________
> jose mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/jose

 


_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose

Reply via email to