Yeah, it could be done with kid. But that would require a bit more out-of-band understanding between the parties to know that the kid is, in fact, a thumbprint. Seems like it'd be better to outright support a thumbprint rather than overloading kid, if thumbprint representation of the key for confirmation is desirable.
And yes, a thumbprint does have some nice properties. But I am also very sympathetic to the "too many ways is not good for interop" point. That's kind of why I asked what others thought of it rather than just making a suggestion. I'm not sure one way or the other myself. On Mon, Mar 23, 2015 at 2:11 AM, Nat Sakimura <sakim...@gmail.com> wrote: > Would not kid do? > Right, thumbprint has more semantics and has nice properties, but having > too many ways is not good for interop. > > Nat > > 2015-03-23 15:40 GMT+09:00 Brian Campbell <bcampb...@pingidentity.com>: > >> Do folks in the WG think there'd be utility in having a way to identity >> the finger/thumbprint of a key in the cnf claim. A presenter might, for >> example, present the JWT along with a public JWK and some >> proof-of-possession of that JWK. And the JWK would be bound to the JWT via >> the thumbprint, which is more space efficient (with respect to the JWT >> anyway) than the full JWK. >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > > > -- > Nat Sakimura (=nat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
