[Federation] Historical Keys Response: Reason_code: Define own keywords, remove X.509 CRL (RFC 5280) dependency
The historical keys response JWT uses reason_code values from the X.509 CRL spec.
https://openid.bitbucket.io/connect/openid-federation-1_0.html#name-federation-historical-keys-res
CRL reason codes:
https://www.rfc-editor.org/rfc/rfc5280.html#section-5.3.1
CRLReason ::= ENUMERATED {
unspecified (0),
keyCompromise (1),
cACompromise (2),
affiliationChanged (3),
superseded (4),
cessationOfOperation (5),
certificateHold (6),
-- value 7 is not used
removeFromCRL (8),
privilegeWithdrawn (9),
aACompromise (10) }
Reuse is generally a good thing, however some of these codes may end up confusing implementers and developers because they don’t map to JWK and OpenID Federation concepts. For example, caCompromise
, certificateHold
, removeFromCRL
.
Comments (8)
-
-
I agree with doing this.
-
reporter What is
aa_compromise
supposed to mean?
-
aACompromise
is a reason code that can be used in a Certificate Revocation List (CRL) to indicate that a certificate is being revoked
because of a compromise or suspected compromise of the authority (AA) that issued the certificates.This authority could be a Registration Authority (RA) or a subordinate Certificate Authority (CA) that assists in the management and issuance of certificates.
-
-
assigned issue to
-
assigned issue to
-
- changed milestone to Implementer's Draft
-
Here the PR that aims to resolve this issue
https://bitbucket.org/openid/connect/pull-requests/724 -
- changed status to resolved
- Log in to comment
I fully agree, it looks like a weak pointer to something that cannot be reused as it is.
we can therefore propose a similar mapping, we can define it as “inspired” by rfc5280, with same number but different labels.
since the labels are equivalent but not the same, I suggest to definitively abandon the camel case and use the snake case
For instance
caCompromise
→ta_compromise
certificateHold
→suspended
removeFromCRL
→reactivated
and more
unspecified
→unspecified
keyCompromise
→key_compromise
affiliationChanged
→affiliation_changed
superseded
→superseded
cessationOfOperation
→cessation_of_operation
privilegeWithdrawn
→privilege_withdrawn
aACompromise
→aa_compromise
WDYT?