> If a server needs to verify, it can literally iterate over all of the keys > associated with the client until it finds the right one.
Depends on how the server stored the keys, this can be a very expensive operation w/o a key_id to match/index on -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Brian Eaton Sent: Tuesday, June 22, 2010 9:43 AM To: Dick Hardt; [email protected] Cc: OAuth WG Subject: Re: [OAUTH-WG] proposal for signatures On Tue, Jun 22, 2010 at 7:17 AM, Dick Hardt <[email protected]> wrote: >> Thanks for writing this. A few questions... >> >> Do we need both `issuer` and `key_id`? Shouldn't we use `client_id` >> instead at least for OAuth? > > it is the ID of the key, not the client -- used to rollover keys I don't think key id is necessary, but adding Hannes since he called me crazy for saying that at IIW. =) The average client is going to have very few keys. Probably just 1. 3 at the outside. If a server needs to verify, it can literally iterate over all of the keys associated with the client until it finds the right one. There is some precedent for this approach: http://support.microsoft.com/kb/906305/en-us. Cheers, Brian _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
