In JWT, we generally use key IDs to identify keys. Per draft-ietf-jose-jwt-thumbprint, *one* value that can be used as a key ID, but it's not the only one. That's up to the application.
But especially since Jim Schaad had us take out the thumbprint claim names, "kid" is the clear winner as the claim name. Let's keep it. -- Mike ________________________________ From: Nat Sakimura<mailto:sakim...@gmail.com> Sent: 3/23/2015 1:01 PM To: Brian Campbell<mailto:bcampb...@pingidentity.com> Cc: oauth<mailto:oauth@ietf.org> Subject: Re: [OAUTH-WG] proof-of-possession-02 cnf via key thumbprint? +1 for dropping kid in favor of thumbprint. 2015?3?23?(?) 12:56 Brian Campbell <bcampb...@pingidentity.com<mailto:bcampb...@pingidentity.com>>: Yeah, it could be done with kid. But that would require a bit more out-of-band understanding between the parties to know that the kid is, in fact, a thumbprint. Seems like it'd be better to outright support a thumbprint rather than overloading kid, if thumbprint representation of the key for confirmation is desirable. And yes, a thumbprint does have some nice properties. But I am also very sympathetic to the "too many ways is not good for interop" point. That's kind of why I asked what others thought of it rather than just making a suggestion. I'm not sure one way or the other myself. On Mon, Mar 23, 2015 at 2:11 AM, Nat Sakimura <sakim...@gmail.com<mailto:sakim...@gmail.com>> wrote: Would not kid do? Right, thumbprint has more semantics and has nice properties, but having too many ways is not good for interop. Nat 2015-03-23 15:40 GMT+09:00 Brian Campbell <bcampb...@pingidentity.com<mailto:bcampb...@pingidentity.com>>: Do folks in the WG think there'd be utility in having a way to identity the finger/thumbprint of a key in the cnf claim. A presenter might, for example, present the JWT along with a public JWK and some proof-of-possession of that JWK. And the JWK would be bound to the JWT via the thumbprint, which is more space efficient (with respect to the JWT anyway) than the full JWK. _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
