Clients that share a common client_id can't pre register. You need to be
doing per instance dynamic client registration for that to work.
Non confidential clients need to push a key with code, or have it provisioned
by the AS with the AT.
Sent from my iPhone
> On Mar 5, 2015, at 2:04 PM, H
Actually, I am not sure my statement below is actually correct.
We need to distinguish the case where the client id is unique per client
software instance and when it isn't.
If the client id is shared by multiple client software instances then
how do we make sure that clients aren't uploading key
I agree and this can be done in AUTH48.
On 03/05/2015 01:59 PM, Justin Richer wrote:
> Right, but do we need to say that in Dyn-Reg? That's really more of a
> problem for the protocol using the keys, not the one registering it for
> use.
signature.asc
Description: OpenPGP digital signature
In context of we then need to
differentiate the case where the client wants to have the server attach
the already stored key vs. the case where the client wants to create a
new key regardless whether there is one stored or not.
Does that make sense?
On 03/05/2015 01:58 PM, John Bradley wrote:
>
Right, but do we need to say that in Dyn-Reg? That's really more of a
problem for the protocol using the keys, not the one registering it for use.
-- Justin
On 3/5/2015 7:58 AM, John Bradley wrote:
I am ok with saying that the JWK must have keyed if there is more than one key
and it SHOULD i
I am ok with saying that the JWK must have keyed if there is more than one key
and it SHOULD if there is only one.
Sent from my iPhone
> On Mar 5, 2015, at 1:43 PM, Hannes Tschofenig
> wrote:
>
> Hi John,
>
> that's a good idea. However, the dynamic client registration should
> state that t
Hi John,
that's a good idea. However, the dynamic client registration should
state that the "kid" parameter is used and must be included in the JWK
(since the kid is an optional parameter).
The key name is then the 'kid' plus the client id since the value of the
kid is not unique by itself.
Ciao
For signing authentication requests you include the keyid in the JWT, and the
AS looks in the JWKS to find the correct key if there is more than one.
I don't think that is a problem
What we probably need to do is pass a keyid in the request if there is more
than one signing key registered for t
Hi John,
On 03/05/2015 10:27 AM, John Bradley wrote:
> inline
>> On Mar 5, 2015, at 9:59 AM, Hannes Tschofenig
>> wrote:
>>
>> Hi all,
>>
>> I refreshed the PoP key distribution document. No changes to the
>> content of the document.
>>
>> The document contains two questions, namely
>>
>> QUEST
inline
> On Mar 5, 2015, at 9:59 AM, Hannes Tschofenig
> wrote:
>
> Hi all,
>
> I refreshed the PoP key distribution document. No changes to the
> content of the document.
>
> The document contains two questions, namely
>
> QUESTION: A benefit of asymmetric cryptography is to allow clients to
10 matches
Mail list logo
