+1 The thumbprint is a semantic way to identify a key. The key id claim name is the syntactic representation of a key identifier of any type. One type of key ID is a thumbprint. One place to put a thumbprint is in a key ID.
— Justin > On Mar 23, 2015, at 1:47 PM, Mike Jones <michael.jo...@microsoft.com> wrote: > > In JWT, we generally use key IDs to identify keys. Per > draft-ietf-jose-jwt-thumbprint, *one* value that can be used as a key ID, but > it's not the only one. That's up to the application. > > But especially since Jim Schaad had us take out the thumbprint claim names, > "kid" is the clear winner as the claim name. Let's keep it. > > -- Mike > From: Nat Sakimura <mailto:sakim...@gmail.com> > Sent: 3/23/2015 1:01 PM > To: Brian Campbell <mailto:bcampb...@pingidentity.com> > Cc: oauth <mailto:oauth@ietf.org> > Subject: Re: [OAUTH-WG] proof-of-possession-02 cnf via key thumbprint? > > +1 for dropping kid in favor of thumbprint. > 2015年3月23日(月) 12:56 Brian Campbell <bcampb...@pingidentity.com > <mailto:bcampb...@pingidentity.com>>: > Yeah, it could be done with kid. But that would require a bit more > out-of-band understanding between the parties to know that the kid is, in > fact, a thumbprint. Seems like it'd be better to outright support a > thumbprint rather than overloading kid, if thumbprint representation of the > key for confirmation is desirable. > > And yes, a thumbprint does have some nice properties. But I am also very > sympathetic to the "too many ways is not good for interop" point. That's kind > of why I asked what others thought of it rather than just making a > suggestion. I'm not sure one way or the other myself. > > On Mon, Mar 23, 2015 at 2:11 AM, Nat Sakimura <sakim...@gmail.com > <mailto:sakim...@gmail.com>> wrote: > Would not kid do? > Right, thumbprint has more semantics and has nice properties, but having too > many ways is not good for interop. > > Nat > > 2015-03-23 15:40 GMT+09:00 Brian Campbell <bcampb...@pingidentity.com > <mailto:bcampb...@pingidentity.com>>: > Do folks in the WG think there'd be utility in having a way to identity the > finger/thumbprint of a key in the cnf claim. A presenter might, for example, > present the JWT along with a public JWK and some proof-of-possession of that > JWK. And the JWK would be bound to the JWT via the thumbprint, which is more > space efficient (with respect to the JWT anyway) than the full JWK. > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > > > > > -- > Nat Sakimura (=nat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ <http://nat.sakimura.org/> > @_nat_en > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth