1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

SIOPv2: Clarify "bare" JWK in sections 13 & 13.1

Issue #1543 resolved
Vladimir Dzhuvinov created an issue

The current sub_jwk spec says it MUST be a “bare” key in JWK format.

https://openid.net/specs/openid-connect-self-issued-v2-1_0-06.html#name-self-issued-id-token

I was wondering about what that means in practice. I’m also unsure how to interpret the “not an X.509 certificate value”. Is this to mean a JWK with only the mandatory"kty" and those params that define the public key material? Are SIOP and RP expected to check the key for certain things to make sure it conforms with this definition of “bare”?

Comments (6)

  1. Kristina Yasuda

    good call-out. I think what was originally meant was sub_jwk is a JWK without x5c, x5u, x5t parameters. However, I don’t see the reason not to allow X.509 certificate values if the issuer/wallet is able to manage a cert per user. I am inclined to define sub_jwk in SIOP as a JWK. or replace it with RFC7800 cnf (Issue #1540)

  3. Vladimir Dzhuvinov reporter

    Thanks for the clarification! If there’s no imperative to have a “bare” JWK, then my suggestion is to simply remove that qualifier from the definition.

    (whether it stays sub_jwk or becomes a cnf.jwk or JWT jwk header)

  5. Kristina Yasuda

    I am not sure what would be a use case for the user to use X.509 to sign a self-Issued ID Token.

  7. Log in to comment
Assignee
Type
bug
Priority
minor
Status
resolved
Component
SIOP
Milestone
Implementer's Draft
Version
Votes
0
Watchers
1
Jira Software: the preferred issue tracker for Bitbucket. Join the team!