Re: [OAUTH-WG] proof-of-possession-02 cnf via key thumbprint?
A key thumbprint value can be used as the value of the “cnf” “kid” member to achieve this. -- Mike From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Sunday, March 22, 2015 11:41 PM To: oauth Subject: [OAUTH-WG] proof-of-possession-02 cnf via key thumbprint? Do folks in the WG think there'd be utility in having a way to identity the finger/thumbprint of a key in the cnf claim. A presenter might, for example, present the JWT along with a public JWK and some proof-of-possession of that JWK. And the JWK would be bound to the JWT via the thumbprint, which is more space efficient (with respect to the JWT anyway) than the full JWK. ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] proof-of-possession-02 cnf via key thumbprint?
This is the approach supported by the current draft. Thanks again for your review comments. -- Mike From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Nat Sakimura Sent: Monday, March 23, 2015 12:11 AM To: Brian Campbell Cc: oauth Subject: Re: [OAUTH-WG] proof-of-possession-02 cnf via key thumbprint? Would not kid do? Right, thumbprint has more semantics and has nice properties, but having too many ways is not good for interop. Nat 2015-03-23 15:40 GMT+09:00 Brian Campbell bcampb...@pingidentity.commailto:bcampb...@pingidentity.com: Do folks in the WG think there'd be utility in having a way to identity the finger/thumbprint of a key in the cnf claim. A presenter might, for example, present the JWT along with a public JWK and some proof-of-possession of that JWK. And the JWK would be bound to the JWT via the thumbprint, which is more space efficient (with respect to the JWT anyway) than the full JWK. ___ OAuth mailing list OAuth@ietf.orgmailto:OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] proof-of-possession-02 cnf via key thumbprint?
Yes, kid could do it. It just seemed less than idea and that, for confirmation, it might be useful to explicitly say this is the thumbprint of the key that'll confirm this JWT rather than here's something that points to a key for confirmation and in some cases it might be a thumbprint. But I just wanted to ask the question to gauge interest. And it seems there's not much. It could be added later too, if more need for it arises. On Mon, Mar 23, 2015 at 1:55 PM, Nat Sakimura sakim...@gmail.com wrote: ok, this is a full circle to my original comment Would not kid do? 2015年3月23日(月) 13:52 Brian Campbell bcampb...@pingidentity.com: I wasn't necessarily suggesting to drop the kid one. On Mon, Mar 23, 2015 at 1:00 PM, Nat Sakimura sakim...@gmail.com wrote: +1 for dropping kid in favor of thumbprint. 2015年3月23日(月) 12:56 Brian Campbell bcampb...@pingidentity.com: Yeah, it could be done with kid. But that would require a bit more out-of-band understanding between the parties to know that the kid is, in fact, a thumbprint. Seems like it'd be better to outright support a thumbprint rather than overloading kid, if thumbprint representation of the key for confirmation is desirable. And yes, a thumbprint does have some nice properties. But I am also very sympathetic to the too many ways is not good for interop point. That's kind of why I asked what others thought of it rather than just making a suggestion. I'm not sure one way or the other myself. On Mon, Mar 23, 2015 at 2:11 AM, Nat Sakimura sakim...@gmail.com wrote: Would not kid do? Right, thumbprint has more semantics and has nice properties, but having too many ways is not good for interop. Nat 2015-03-23 15:40 GMT+09:00 Brian Campbell bcampb...@pingidentity.com : Do folks in the WG think there'd be utility in having a way to identity the finger/thumbprint of a key in the cnf claim. A presenter might, for example, present the JWT along with a public JWK and some proof-of-possession of that JWK. And the JWK would be bound to the JWT via the thumbprint, which is more space efficient (with respect to the JWT anyway) than the full JWK. ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] proof-of-possession-02 cnf via key thumbprint?
Yeah, it could be done with kid. But that would require a bit more out-of-band understanding between the parties to know that the kid is, in fact, a thumbprint. Seems like it'd be better to outright support a thumbprint rather than overloading kid, if thumbprint representation of the key for confirmation is desirable. And yes, a thumbprint does have some nice properties. But I am also very sympathetic to the too many ways is not good for interop point. That's kind of why I asked what others thought of it rather than just making a suggestion. I'm not sure one way or the other myself. On Mon, Mar 23, 2015 at 2:11 AM, Nat Sakimura sakim...@gmail.com wrote: Would not kid do? Right, thumbprint has more semantics and has nice properties, but having too many ways is not good for interop. Nat 2015-03-23 15:40 GMT+09:00 Brian Campbell bcampb...@pingidentity.com: Do folks in the WG think there'd be utility in having a way to identity the finger/thumbprint of a key in the cnf claim. A presenter might, for example, present the JWT along with a public JWK and some proof-of-possession of that JWK. And the JWK would be bound to the JWT via the thumbprint, which is more space efficient (with respect to the JWT anyway) than the full JWK. ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] proof-of-possession-02 cnf via key thumbprint?
In JWT, we generally use key IDs to identify keys. Per draft-ietf-jose-jwt-thumbprint, *one* value that can be used as a key ID, but it's not the only one. That's up to the application. But especially since Jim Schaad had us take out the thumbprint claim names, kid is the clear winner as the claim name. Let's keep it. -- Mike From: Nat Sakimuramailto:sakim...@gmail.com Sent: 3/23/2015 1:01 PM To: Brian Campbellmailto:bcampb...@pingidentity.com Cc: oauthmailto:oauth@ietf.org Subject: Re: [OAUTH-WG] proof-of-possession-02 cnf via key thumbprint? +1 for dropping kid in favor of thumbprint. 2015?3?23?(?) 12:56 Brian Campbell bcampb...@pingidentity.commailto:bcampb...@pingidentity.com: Yeah, it could be done with kid. But that would require a bit more out-of-band understanding between the parties to know that the kid is, in fact, a thumbprint. Seems like it'd be better to outright support a thumbprint rather than overloading kid, if thumbprint representation of the key for confirmation is desirable. And yes, a thumbprint does have some nice properties. But I am also very sympathetic to the too many ways is not good for interop point. That's kind of why I asked what others thought of it rather than just making a suggestion. I'm not sure one way or the other myself. On Mon, Mar 23, 2015 at 2:11 AM, Nat Sakimura sakim...@gmail.commailto:sakim...@gmail.com wrote: Would not kid do? Right, thumbprint has more semantics and has nice properties, but having too many ways is not good for interop. Nat 2015-03-23 15:40 GMT+09:00 Brian Campbell bcampb...@pingidentity.commailto:bcampb...@pingidentity.com: Do folks in the WG think there'd be utility in having a way to identity the finger/thumbprint of a key in the cnf claim. A presenter might, for example, present the JWT along with a public JWK and some proof-of-possession of that JWK. And the JWK would be bound to the JWT via the thumbprint, which is more space efficient (with respect to the JWT anyway) than the full JWK. ___ OAuth mailing list OAuth@ietf.orgmailto:OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] proof-of-possession-02 cnf via key thumbprint?
ok, this is a full circle to my original comment Would not kid do? 2015年3月23日(月) 13:52 Brian Campbell bcampb...@pingidentity.com: I wasn't necessarily suggesting to drop the kid one. On Mon, Mar 23, 2015 at 1:00 PM, Nat Sakimura sakim...@gmail.com wrote: +1 for dropping kid in favor of thumbprint. 2015年3月23日(月) 12:56 Brian Campbell bcampb...@pingidentity.com: Yeah, it could be done with kid. But that would require a bit more out-of-band understanding between the parties to know that the kid is, in fact, a thumbprint. Seems like it'd be better to outright support a thumbprint rather than overloading kid, if thumbprint representation of the key for confirmation is desirable. And yes, a thumbprint does have some nice properties. But I am also very sympathetic to the too many ways is not good for interop point. That's kind of why I asked what others thought of it rather than just making a suggestion. I'm not sure one way or the other myself. On Mon, Mar 23, 2015 at 2:11 AM, Nat Sakimura sakim...@gmail.com wrote: Would not kid do? Right, thumbprint has more semantics and has nice properties, but having too many ways is not good for interop. Nat 2015-03-23 15:40 GMT+09:00 Brian Campbell bcampb...@pingidentity.com: Do folks in the WG think there'd be utility in having a way to identity the finger/thumbprint of a key in the cnf claim. A presenter might, for example, present the JWT along with a public JWK and some proof-of-possession of that JWK. And the JWK would be bound to the JWT via the thumbprint, which is more space efficient (with respect to the JWT anyway) than the full JWK. ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] proof-of-possession-02 cnf via key thumbprint?
+1 for dropping kid in favor of thumbprint. 2015年3月23日(月) 12:56 Brian Campbell bcampb...@pingidentity.com: Yeah, it could be done with kid. But that would require a bit more out-of-band understanding between the parties to know that the kid is, in fact, a thumbprint. Seems like it'd be better to outright support a thumbprint rather than overloading kid, if thumbprint representation of the key for confirmation is desirable. And yes, a thumbprint does have some nice properties. But I am also very sympathetic to the too many ways is not good for interop point. That's kind of why I asked what others thought of it rather than just making a suggestion. I'm not sure one way or the other myself. On Mon, Mar 23, 2015 at 2:11 AM, Nat Sakimura sakim...@gmail.com wrote: Would not kid do? Right, thumbprint has more semantics and has nice properties, but having too many ways is not good for interop. Nat 2015-03-23 15:40 GMT+09:00 Brian Campbell bcampb...@pingidentity.com: Do folks in the WG think there'd be utility in having a way to identity the finger/thumbprint of a key in the cnf claim. A presenter might, for example, present the JWT along with a public JWK and some proof-of-possession of that JWK. And the JWK would be bound to the JWT via the thumbprint, which is more space efficient (with respect to the JWT anyway) than the full JWK. ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] proof-of-possession-02 cnf via key thumbprint?
+1 The thumbprint is a semantic way to identify a key. The key id claim name is the syntactic representation of a key identifier of any type. One type of key ID is a thumbprint. One place to put a thumbprint is in a key ID. — Justin On Mar 23, 2015, at 1:47 PM, Mike Jones michael.jo...@microsoft.com wrote: In JWT, we generally use key IDs to identify keys. Per draft-ietf-jose-jwt-thumbprint, *one* value that can be used as a key ID, but it's not the only one. That's up to the application. But especially since Jim Schaad had us take out the thumbprint claim names, kid is the clear winner as the claim name. Let's keep it. -- Mike From: Nat Sakimura mailto:sakim...@gmail.com Sent: 3/23/2015 1:01 PM To: Brian Campbell mailto:bcampb...@pingidentity.com Cc: oauth mailto:oauth@ietf.org Subject: Re: [OAUTH-WG] proof-of-possession-02 cnf via key thumbprint? +1 for dropping kid in favor of thumbprint. 2015年3月23日(月) 12:56 Brian Campbell bcampb...@pingidentity.com mailto:bcampb...@pingidentity.com: Yeah, it could be done with kid. But that would require a bit more out-of-band understanding between the parties to know that the kid is, in fact, a thumbprint. Seems like it'd be better to outright support a thumbprint rather than overloading kid, if thumbprint representation of the key for confirmation is desirable. And yes, a thumbprint does have some nice properties. But I am also very sympathetic to the too many ways is not good for interop point. That's kind of why I asked what others thought of it rather than just making a suggestion. I'm not sure one way or the other myself. On Mon, Mar 23, 2015 at 2:11 AM, Nat Sakimura sakim...@gmail.com mailto:sakim...@gmail.com wrote: Would not kid do? Right, thumbprint has more semantics and has nice properties, but having too many ways is not good for interop. Nat 2015-03-23 15:40 GMT+09:00 Brian Campbell bcampb...@pingidentity.com mailto:bcampb...@pingidentity.com: Do folks in the WG think there'd be utility in having a way to identity the finger/thumbprint of a key in the cnf claim. A presenter might, for example, present the JWT along with a public JWK and some proof-of-possession of that JWK. And the JWK would be bound to the JWT via the thumbprint, which is more space efficient (with respect to the JWT anyway) than the full JWK. ___ OAuth mailing list OAuth@ietf.org mailto:OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth https://www.ietf.org/mailman/listinfo/oauth -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ http://nat.sakimura.org/ @_nat_en ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth signature.asc Description: Message signed with OpenPGP using GPGMail ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] proof-of-possession-02 cnf via key thumbprint?
I wasn't necessarily suggesting to drop the kid one. On Mon, Mar 23, 2015 at 1:00 PM, Nat Sakimura sakim...@gmail.com wrote: +1 for dropping kid in favor of thumbprint. 2015年3月23日(月) 12:56 Brian Campbell bcampb...@pingidentity.com: Yeah, it could be done with kid. But that would require a bit more out-of-band understanding between the parties to know that the kid is, in fact, a thumbprint. Seems like it'd be better to outright support a thumbprint rather than overloading kid, if thumbprint representation of the key for confirmation is desirable. And yes, a thumbprint does have some nice properties. But I am also very sympathetic to the too many ways is not good for interop point. That's kind of why I asked what others thought of it rather than just making a suggestion. I'm not sure one way or the other myself. On Mon, Mar 23, 2015 at 2:11 AM, Nat Sakimura sakim...@gmail.com wrote: Would not kid do? Right, thumbprint has more semantics and has nice properties, but having too many ways is not good for interop. Nat 2015-03-23 15:40 GMT+09:00 Brian Campbell bcampb...@pingidentity.com: Do folks in the WG think there'd be utility in having a way to identity the finger/thumbprint of a key in the cnf claim. A presenter might, for example, present the JWT along with a public JWK and some proof-of-possession of that JWK. And the JWK would be bound to the JWT via the thumbprint, which is more space efficient (with respect to the JWT anyway) than the full JWK. ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth