<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>Correction: the link to the standard should be <a href="https://tools.ietf.org/html/rfc7517#section-4.2">https://tools.ietf.org/html/rfc7517#section-4.2</a>.</div>
<div><br>
</div>
<div>…by the way:</div>
<ol>
<li>The keystore parser doesn’t accept anything else other than “sig” and “enc” for “use”, an exception is thrown? That’s fine if MitreID is not using those but shouldn’t reject at the parser level as per standard other strings may be present. Well, it could
be that they are being rejected at higher levels.</li><li>Multiple “sig” and “enc” can be defined in the keystore and those, stripped of the private elements, are returned by the jwk endpoint.</li></ol>
<div>Regards,</div>
<div>Luiz</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Luiz Omori <<a href="mailto:luiz.omori@dm.duke.edu">luiz.omori@dm.duke.edu</a>><br>
<span style="font-weight:bold">Date: </span>Friday, August 28, 2015 at 2:09 PM<br>
<span style="font-weight:bold">To: </span>"<a href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a>" <<a href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a>><br>
<span style="font-weight:bold">Subject: </span>Keystore<br>
</div>
<div><br>
</div>
<div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0);">
<div style="font-size: 14px; font-family: Calibri, sans-serif;">Hi,</div>
<div style="font-size: 14px; font-family: Calibri, sans-serif;"><br>
</div>
<div style="font-size: 14px; font-family: Calibri, sans-serif;">One minor thing, but that surprisingly is generating quite a few emails internally, is indirectly related to the configuration below (crypto-config.xml):</div>
<div style="font-size: 14px; font-family: Calibri, sans-serif;"><br>
</div>
<div style="font-size: 14px; font-family: Calibri, sans-serif;">
<div><span class="Apple-tab-span" style="white-space:pre"></span><bean id="defaultsignerService" class="org.mitre.jwt.signer.service.impl.DefaultJWTSigningAndValidationService"></div>
<div><span class="Apple-tab-span" style="white-space:pre"></span><constructor-arg name="keyStore" ref="defaultKeyStore" /></div>
<div><span class="Apple-tab-span" style="white-space:pre"></span><property name="defaultSignerKeyId" value="rsa1" /></div>
<div> <span class="Apple-tab-span" style="white-space:pre"> </span><property name="defaultSigningAlgorithmName" value="RS256" /></div>
<div><span class="Apple-tab-span" style="white-space:pre"></span></bean></div>
</div>
<div style="font-size: 14px; font-family: Calibri, sans-serif;"><br>
</div>
<div style="font-size: 14px; font-family: Calibri, sans-serif;">Question: can “use”: “sig” (as defined in <a href="https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41">https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41</a>) be used as discriminator
for the signing key? In other words, why use the key ID and algorithm?</div>
<div style="font-size: 14px; font-family: Calibri, sans-serif;"><br>
</div>
<div>If multiple keys with “use”: “sig” may be present, how does the client know which one returned from <span class="sObjectK" id="s-266" style="box-sizing: border-box; font-weight: 700; color: rgb(51, 51, 51); line-height: 22.8571434020996px; widows: 1;">"jwks_uri"</span><span class="sColon" id="s-267" style="box-sizing: border-box; color: rgb(102, 102, 102); line-height: 22.8571434020996px; widows: 1;">:</span><span class="sObjectV" id="s-268" style="box-sizing: border-box; color: rgb(85, 85, 85); line-height: 22.8571434020996px; widows: 1;">"<a href="http://localhost:8080/ldap-openid-connect-server/jwk">http://localhost:8080/ldap-openid-connect-server/jwk</a>”</span> (from
well-known endpoint) should be used? We’ve noticed that that endpoint seems to be returning all keys (we haven’t tested other private keys but at least for the one used for signing the private modulus is removed, as expected). </div>
<div style="font-size: 14px; font-family: Calibri, sans-serif;"><br>
</div>
<div style="font-size: 14px; font-family: Calibri, sans-serif;">Regards,</div>
<div style="font-size: 14px; font-family: Calibri, sans-serif;">Luiz</div>
</div>
</div>
</span>
</body>
</html>