<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
Hi Justin,<br>
<div>
<p class="MsoNormal">Thank you for your help!</p>
<p class="MsoNormal">I have couple of additional questions:</p>
<p class="MsoNormal">1) How is possible to establish the static registration?<br>
I want to establish the trust without the UI (during the installation of our products).<br>
<br>
2) I read in the specifications that ID Tokens MUST be signed using JWS<span style="font-size:12.0pt;line-height:115%;font-family:"Times New Roman",serif;
mso-fareast-font-family:"Times New Roman";mso-bidi-language:HE"> (</span><a id="LPlnk374944" href="http://openid.net/specs/openid-connect-core-1_0.html#IDToken">http://openid.net/specs/openid-connect-core-1_0.html#IDToken</a>)
and the Client MUST validate the signature of all other ID Tokens according to JWS using the algorithm specified in the JWT alg Header Parameter (<a href="http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation">http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation</a>)</p>
<p class="MsoNormal">Should the RP get the public key of the IDP?</p>
<p class="MsoNormal">How they exchange the public key?</p>
</div>
<br>
<div class="" style="margin-top:0px; margin-bottom:0px">Thank you in advance for your help.</div>
<p class="MsoNormal" style="margin-top:0px; margin-bottom:0px"> </p>
<div class="" style="margin-top:0px; margin-bottom:0px">Best regards,</div>
<div class="" style="margin-top:0px; margin-bottom:0px"><span class=""> <span class="Apple-converted-space"> </span></span>Michael</div>
<br>
<div style="color: rgb(0, 0, 0);">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" color="#000000" face="Calibri, sans-serif"><b>From:</b> Justin Richer <jricher@mit.edu><br>
<b>Sent:</b> Wednesday, August 24, 2016 8:56 PM<br>
<b>To:</b> Michael Furman<br>
<b>Cc:</b> mitreid-connect@mit.edu<br>
<b>Subject:</b> Re: [mitreid-connect] How is enabled the trust between an openID client and the mitreid-connect server?</font>
<div> </div>
</div>
<div>By default, simple-web-app is set up to use dynamic client registration:
<div class=""><br class="">
</div>
<div class=""><a id="LPlnk19286" href="https://tools.ietf.org/html/rfc7591" class="">https://tools.ietf.org/html/rfc7591</a></div>
<div class=""><br class="">
</div>
<div class="">The server generates an ID and secret and hands them to the client as part of this protocol. This is not using symmetric encryption or symmetric signatures.</div>
<div class=""><br class="">
</div>
<div class="">It is possible to use asymmetric signatures to authenticate the client, but the client needs to register its JWK value or JWK Set URI with the server to do so.</div>
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Aug 24, 2016, at 9:15 AM, Michael Furman <<a href="mailto:michael_furman@hotmail.com" class="">michael_furman@hotmail.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div id="divtagdefaultwrapper" class="" style="font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; font-size:12pt; background-color:rgb(255,255,255); font-family:Calibri,Arial,Helvetica,sans-serif">
<p class="" style="margin-top:0px; margin-bottom:0px"></p>
<div class="">
<div class="" style="margin-top:0px; margin-bottom:0px">Hi all,<br class="">
</div>
<div class="" style="margin-top:0px; margin-bottom:0px">I have launched the openid-connect-server-webapp server and the demo client (simple-web-app).</div>
<div class="" style="margin-top:0px; margin-bottom:0px"><br class="">
I see that during the dynamical registration the client registered with the random client secret (For the example<span class="Apple-converted-space"> </span><br class="">
JqnXxNQzuAIg1qR0EZXS3WKfdKmvcKowlrIMQ0E8bDXrjRJjZA5nSJTxAeGlAaKVNQ9Qv3zoEUzhYSJyLJeFHg)</div>
<p class="MsoNormal" style="margin-top:0px; margin-bottom:0px"> </p>
<div class="" style="margin-top:0px; margin-bottom:0px">1) How the secret passed from the server to the client?</div>
<div class="" style="margin-top:0px; margin-bottom:0px">2) According to my understanding it is shared secret (i.e. the symmetric encryption).</div>
<p class="MsoNormal" style="margin-top:0px; margin-bottom:0px"> </p>
<div class="" style="margin-top:0px; margin-bottom:0px">Is it possible to use the asymmetric encryption to enable the trust between the openID client and the<span class="rphighlightallclass"><span class="Apple-converted-space"> </span>mitreid-connect</span><span class="Apple-converted-space"> </span>server?</div>
<p class="MsoNormal" style="margin-top:0px; margin-bottom:0px"> </p>
<div class="" style="margin-top:0px; margin-bottom:0px">Thank you in advance for your help.</div>
<p class="MsoNormal" style="margin-top:0px; margin-bottom:0px"> </p>
<div class="" style="margin-top:0px; margin-bottom:0px">Best regards,</div>
<div class="" style="margin-top:0px; margin-bottom:0px"><span class=""> <span class="Apple-converted-space"> </span></span>Michael</div>
<p class="MsoNormal" style="margin-top:0px; margin-bottom:0px"> </p>
</div>
<br class="">
<p class="" style="margin-top:0px; margin-bottom:0px"></p>
</div>
<span class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; float:none; display:inline!important">_______________________________________________</span><br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">
<span class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; float:none; display:inline!important">mitreid-connect
mailing list</span><br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">
<a href="mailto:mitreid-connect@mit.edu" class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">mitreid-connect@mit.edu</a><br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">
<a href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect" class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">http://mailman.mit.edu/mailman/listinfo/mitreid-connect</a></div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</body>
</html>