JSON Spec Work continued

From IIW

Issue/Topic: Public Key Certificates as JWT

Session: Thursday 1E

Convener: Mike Jones, Microsoft

Notes-taker(s): Breno de Medeiros


If and how to represent public key certificates as JSON Web Tokens

Discussion notes:

  • Certificate installation a difficult and core technical obstacle in configuring security
  • Not all cases require PKI validation; motivation examples given by J. Panzer et. al., drove the proposal for the Magic Signatures specs
  • In the absence of PKI certificates, it's not possible to 'preserve' the security context around fetching the certificate
  • Is there a need to invent another type of JSON-based certificate? De we have a need for certificates in addition to bare keys
  • Why re-invent X.509? Create a JSON binding for the subset of KeyInfo from X.509 that is needed to advertise keys
  • After reviewing the KeyInfo, decided that the part of it of interest is trivially small and already described in competing proposals
  • Even a JWT is too complex, only need to create a simple descriptor for the key in JSON
  • Key_id needed

Decision: Go with simple approach

  • Keep this mini-spec separate from JWT and cross-reference? Or include this in the expanded spec of JWT to include encryption?

Decision: Keep specs separate

  • Need to allow this to have a URL-safe representation such as compact JWT?