Re: [OAUTH-WG] WGLC for JWK Thumbprint URI document

Thu, 03 Feb 2022 23:00:55 -0800

The original JWK thumbprint RFC 7638 essentially describes the method for composing the hash input from a JWK and that the output is base64url encoded. SHA-256 is mentioned, but there is no default implied hash function. This leaves it to applications / other specs to determine. 

https://www.rfc-editor.org/rfc/rfc7638.html#section-3.4
The URN gives us now a natural possibility to encode the hash function alongside the fact that it's a JWK thumbprint, so let's include it. This will make things more explicit and self-contained. 

What do the authors think about this possibility?

~Vladimir

Vladimir Dzhuvinov

On 04/02/2022 01:47, Neil Madden wrote:
The draft doesn’t specify which hash function is being used. I assume it is SHA-256, but it should either say that is the only algorithm allowed or perhaps encode the hash algorithm into the URI. Otherwise the value is ambiguous.
Using a (hash of a) public key as an identifier is an idea that has historically been subject to various attacks such as unknown key share attacks, as well as issues due to malleable signature schemes or key exchange schemes - where the same proof of identity is valid under many public keys. The security considerations should mention these issues, and potential suggest countermeasures (eg including the full public key JWK in the input to be signed etc). 

— Neil
On 2 Feb 2022, at 12:19, Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com> wrote: 


All,
The *JWK Thumbprint URI *document is a simple and straightforward specification. 

This is a WG Last Call for this document:
https://www.ietf.org/archive/id/draft-ietf-oauth-jwk-thumbprint-uri-00.html

Please, provide your feedback on the mailing list by *Feb 16th*.

Regards,
 Rifaat & Hannes


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to