Having a key ID is an optimization. If you're using public key signatures is having to do potentially 3x the signatures going to be a problem?
> -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] > On Behalf Of Brian Eaton > Sent: Tuesday, June 22, 2010 9:43 AM > To: Dick Hardt; hannes.tschofe...@gmx.net > Cc: OAuth WG > Subject: Re: [OAUTH-WG] proposal for signatures > > On Tue, Jun 22, 2010 at 7:17 AM, Dick Hardt > <dick.ha...@gmail.com> wrote: > >> Thanks for writing this. A few questions... > >> > >> Do we need both `issuer` and `key_id`? Shouldn't we use > `client_id` > >> instead at least for OAuth? > > > > it is the ID of the key, not the client -- used to rollover keys > > I don't think key id is necessary, but adding Hannes since he > called me crazy for saying that at IIW. =) > > The average client is going to have very few keys. Probably just 1. > 3 at the outside. > > If a server needs to verify, it can literally iterate over > all of the keys associated with the client until it finds the > right one. > > There is some precedent for this approach: > http://support.microsoft.com/kb/906305/en-us. > > Cheers, > Brian > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth