I could imagine an architecture striving to be efficient, scalable, distributed and secure where there are hundreds of servers each with a unique private key baked into each server. All the public keys would be in one file.
Having a key id would help debugging as well as the signer is clearly indicating which key should be used. If the signing fails, it could be the key, could be signature calculation, could be ... The downside of having a key_id seems heavily outweighed by the advantages to me. On Tue, Jun 22, 2010 at 10:30 AM, Anthony Nadalin <tony...@microsoft.com>wrote: > > If a server needs to verify, it can literally iterate over all of the > keys associated with the client until it finds the right one. > > Depends on how the server stored the keys, this can be a very expensive > operation w/o a key_id to match/index on > > -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of > Brian Eaton > Sent: Tuesday, June 22, 2010 9:43 AM > To: Dick Hardt; hannes.tschofe...@gmx.net > Cc: OAuth WG > Subject: Re: [OAUTH-WG] proposal for signatures > > On Tue, Jun 22, 2010 at 7:17 AM, Dick Hardt <dick.ha...@gmail.com> wrote: > >> Thanks for writing this. A few questions... > >> > >> Do we need both `issuer` and `key_id`? Shouldn't we use `client_id` > >> instead at least for OAuth? > > > > it is the ID of the key, not the client -- used to rollover keys > > I don't think key id is necessary, but adding Hannes since he called me > crazy for saying that at IIW. =) > > The average client is going to have very few keys. Probably just 1. > 3 at the outside. > > If a server needs to verify, it can literally iterate over all of the keys > associated with the client until it finds the right one. > > There is some precedent for this approach: > http://support.microsoft.com/kb/906305/en-us. > > Cheers, > Brian > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
