-WG] proof-of-possession-02 cnf via key thumbprint?
Do folks in the WG think there'd be utility in having a way to identity the
finger/thumbprint of a key in the cnf claim. A presenter might, for example,
present the JWT along with a public JWK and some proof-of-possession of that
JWK
: oauth
Subject: Re: [OAUTH-WG] proof-of-possession-02 cnf via key thumbprint?
Would not kid do?
Right, thumbprint has more semantics and has nice properties, but having too
many ways is not good for interop.
Nat
2015-03-23 15:40 GMT+09:00 Brian Campbell
bcampb...@pingidentity.commailto:bcampb
Do folks in the WG think there'd be utility in having a way to identity the
finger/thumbprint of a key in the cnf claim. A presenter might, for
example, present the JWT along with a public JWK and some
proof-of-possession of that JWK. And the JWK would be bound to the JWT via
the thumbprint,
Yes, kid could do it. It just seemed less than idea and that, for
confirmation, it might be useful to explicitly say this is the thumbprint
of the key that'll confirm this JWT rather than here's something that
points to a key for confirmation and in some cases it might be a
thumbprint.
But I just
Yeah, it could be done with kid. But that would require a bit more
out-of-band understanding between the parties to know that the kid is, in
fact, a thumbprint. Seems like it'd be better to outright support a
thumbprint rather than overloading kid, if thumbprint representation of the
key for
as the claim name. Let's keep it.
-- Mike
From: Nat Sakimuramailto:sakim...@gmail.com
Sent: 3/23/2015 1:01 PM
To: Brian Campbellmailto:bcampb...@pingidentity.com
Cc: oauthmailto:oauth@ietf.org
Subject: Re: [OAUTH-WG] proof-of-possession-02 cnf via key thumbprint?
+1
ok, this is a full circle to my original comment Would not kid do?
2015年3月23日(月) 13:52 Brian Campbell bcampb...@pingidentity.com:
I wasn't necessarily suggesting to drop the kid one.
On Mon, Mar 23, 2015 at 1:00 PM, Nat Sakimura sakim...@gmail.com wrote:
+1 for dropping kid in favor of
+1 for dropping kid in favor of thumbprint.
2015年3月23日(月) 12:56 Brian Campbell bcampb...@pingidentity.com:
Yeah, it could be done with kid. But that would require a bit more
out-of-band understanding between the parties to know that the kid is, in
fact, a thumbprint. Seems like it'd be better
is the clear winner as the claim name. Let's keep it.
-- Mike
From: Nat Sakimura mailto:sakim...@gmail.com
Sent: 3/23/2015 1:01 PM
To: Brian Campbell mailto:bcampb...@pingidentity.com
Cc: oauth mailto:oauth@ietf.org
Subject: Re: [OAUTH-WG] proof-of-possession-02 cnf via key thumbprint?
+1
I wasn't necessarily suggesting to drop the kid one.
On Mon, Mar 23, 2015 at 1:00 PM, Nat Sakimura sakim...@gmail.com wrote:
+1 for dropping kid in favor of thumbprint.
2015年3月23日(月) 12:56 Brian Campbell bcampb...@pingidentity.com:
Yeah, it could be done with kid. But that would require a
10 matches
Mail list logo
