- changed milestone to Implementer's Draft
- changed component to Messages
-
assigned issue to
Michael Jones
Messages: X509 as MTI?
Issue #784
resolved
At the last face-to-face, the group decided that for Dynamic servers, the X509 format (as opposed to JWK format) should be mandatory to implement for publishing keys. The argument given at the time was that there were existing toolchains for producing and consuming X509 formatted certificates, especially in enterprise environments.
However, having implemented both for an enterprise environment with a traditionally enterprise-focused language (Java), my experience dictates otherwise.
The biggest problem is that the OIDC world doesn't care about certificate chains, it cares about bare keys. If your server is configured with just a bare key (which is all it needs), the tooling for dynamically generating a self-signed X509 certificate out of an existing bare key is not there.
I propose that we move JWK (with bare keys) to MTI and have X509 (whether as separate certs or as members of a JWK, see other issues for that) no longer as MTI.
Comments (2)
-
-
- changed status to resolved
Fixed
#784- Required publication of public keys as bare keys.→ <<cset d8828d34e64e>>
- Log in to comment
- Assignee
- Type
- Priority
- Status
- resolved
- Component
- Messages
- Milestone
- Implementer's Draft
- Version
- –
- Votes
- 0
- Watchers
- 0
Justin and Brian reported that generating certificates from public keys is hard.
Having real certificates can introduce brittleness. That was the SAML experience. Certs fail to be renewed and expire, and this is often not monitored.
The SAML Metadata IOP spec actually mandates ignoring all the X.509 fields other than the key for exactly these reasons!
There will be less problems if we make bare keys MTI.