1. OpenID Foundation
  2. connect
  3. Issues
Issue #414 resolved

Registration - 2.1 x509_encryption_url makes references to x509_signing_url, jwk_signing_url, and x509_signing_url which do no exist

Edmund Jay
created an issue

Currently, it's written as {{{ x509_encryption_url OPTIONAL. URL for the Client's PEM encoded X.509 Certificate or Certificate chain, used for JWE [JWE] encryption of JWT [JWT] to the Client. If both x509_signing_url and jwk_signing_url are specified x509_signing_url the keys MUST be the same. }}}

x509_signing_url and jwk_signing_url do not exist.

It should be changed to {{{ x509_encryption_url OPTIONAL. URL for the Client's PEM encoded X.509 Certificate or Certificate chain, used for JWE [JWE] encryption of JWT [JWT] to the Client. If both x509_url and jwk_url are specified, the keys MUST be the same. }}}

Comments (3)

  1. Michael Jones

    The text about the keys being the same sounds like unnecessary complexity, as it effectively forces implementations to retrieve both and check that they are the same. Why not just say that both can not be specified?

  2. John Bradley

    The idea is that if the client is making a key available in multiple formats it MUST be the same key.

    The Authorization server doesn't need to check.

    They may want to do that so that the retriever can select there preferred format.

    It should be jwk_encryption_url and x509_encryption_url

  3. Log in to comment