<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Answers inline.<br>
    <br>
    On 8/25/2016 9:52 AM, Michael Furman wrote:<br>
    <blockquote
cite="mid:AM5PR0701MB2530054A5953E0A27824AD36F4ED0@AM5PR0701MB2530.eurprd07.prod.outlook.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      <style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
      <div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">Hi
        Justin,<br>
        <div>
          <p class="MsoNormal">Thank you for your help!</p>
          <p class="MsoNormal">I have couple of additional questions:</p>
          <p class="MsoNormal">1) How is possible to establish the
            static registration?<br>
            I want to establish the trust without the UI (during the
            installation of our products).<br>
            <br>
          </p>
        </div>
      </div>
    </blockquote>
    <br>
    You can use dynamic (not static) client registration. <br>
    <br>
    <blockquote
cite="mid:AM5PR0701MB2530054A5953E0A27824AD36F4ED0@AM5PR0701MB2530.eurprd07.prod.outlook.com"
      type="cite">
      <div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
        <div>
          <p class="MsoNormal">
            2) I read in the specifications that ID Tokens MUST be
            signed using JWS<span
              style="font-size:12.0pt;line-height:115%;font-family:&quot;Times
              New Roman&quot;,serif;
              mso-fareast-font-family:&quot;Times New
              Roman&quot;;mso-bidi-language:HE"> (</span><a
              moz-do-not-send="true" id="LPlnk374944"
              href="http://openid.net/specs/openid-connect-core-1_0.html#IDToken">http://openid.net/specs/openid-connect-core-1_0.html#IDToken</a>)
            and the Client MUST validate the signature of all other ID
            Tokens according to JWS using the algorithm specified in the
            JWT alg Header Parameter (<a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation">http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation</a>)</p>
          <p class="MsoNormal">Should the RP get the public key of the
            IDP?</p>
          <p class="MsoNormal">How they exchange the public key?</p>
        </div>
      </div>
    </blockquote>
    <br>
    Yes, the server publishes its key and the client needs to download
    it and use that to validate the ID token. If you're using our client
    library, all of that is handled in the filter automatically. <br>
    <br>
     -- Justin<br>
    <blockquote
cite="mid:AM5PR0701MB2530054A5953E0A27824AD36F4ED0@AM5PR0701MB2530.eurprd07.prod.outlook.com"
      type="cite">
      <div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
        <div>
        </div>
        <br>
        <div class="" style="margin-top:0px; margin-bottom:0px">Thank
          you in advance for your help.</div>
        <p class="MsoNormal" style="margin-top:0px; margin-bottom:0px"> </p>
        <div class="" style="margin-top:0px; margin-bottom:0px">Best
          regards,</div>
        <div class="" style="margin-top:0px; margin-bottom:0px"><span
            class="">  <span class="Apple-converted-space"> </span></span>Michael</div>
        <br>
        <div style="color: rgb(0, 0, 0);">
          <hr tabindex="-1" style="display:inline-block; width:98%">
          <div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
              face="Calibri, sans-serif" color="#000000"><b>From:</b>
              Justin Richer <a class="moz-txt-link-rfc2396E" href="mailto:jricher@mit.edu">&lt;jricher@mit.edu&gt;</a><br>
              <b>Sent:</b> Wednesday, August 24, 2016 8:56 PM<br>
              <b>To:</b> Michael Furman<br>
              <b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a><br>
              <b>Subject:</b> Re: [mitreid-connect] How is enabled the
              trust between an openID client and the mitreid-connect
              server?</font>
            <div> </div>
          </div>
          <div>By default, simple-web-app is set up to use dynamic
            client registration:
            <div class=""><br class="">
            </div>
            <div class=""><a moz-do-not-send="true" id="LPlnk19286"
                href="https://tools.ietf.org/html/rfc7591" class="">https://tools.ietf.org/html/rfc7591</a></div>
            <div class=""><br class="">
            </div>
            <div class="">The server generates an ID and secret and
              hands them to the client as part of this protocol. This is
              not using symmetric encryption or symmetric signatures.</div>
            <div class=""><br class="">
            </div>
            <div class="">It is possible to use asymmetric signatures to
              authenticate the client, but the client needs to register
              its JWK value or JWK Set URI with the server to do so.</div>
            <div class=""><br class="">
            </div>
            <div class=""> — Justin</div>
            <div class=""><br class="">
              <div>
                <blockquote type="cite" class="">
                  <div class="">On Aug 24, 2016, at 9:15 AM, Michael
                    Furman &lt;<a moz-do-not-send="true"
                      href="mailto:michael_furman@hotmail.com" class="">michael_furman@hotmail.com</a>&gt;
                    wrote:</div>
                  <br class="Apple-interchange-newline">
                  <div class="">
                    <div id="divtagdefaultwrapper" class=""
                      style="font-style:normal; font-weight:normal;
                      letter-spacing:normal; orphans:auto;
                      text-align:start; text-indent:0px;
                      text-transform:none; white-space:normal;
                      widows:auto; word-spacing:0px; font-size:12pt;
                      background-color:rgb(255,255,255);
                      font-family:Calibri,Arial,Helvetica,sans-serif">
                      <div class="">
                        <div class="" style="margin-top:0px;
                          margin-bottom:0px">Hi all,<br class="">
                        </div>
                        <div class="" style="margin-top:0px;
                          margin-bottom:0px">I have launched the
                          openid-connect-server-webapp server and the
                          demo client (simple-web-app).</div>
                        <div class="" style="margin-top:0px;
                          margin-bottom:0px"><br class="">
                          I see that during the dynamical registration
                          the client registered with the random client
                          secret (For the example<span
                            class="Apple-converted-space"> </span><br
                            class="">
JqnXxNQzuAIg1qR0EZXS3WKfdKmvcKowlrIMQ0E8bDXrjRJjZA5nSJTxAeGlAaKVNQ9Qv3zoEUzhYSJyLJeFHg)</div>
                        <p class="MsoNormal" style="margin-top:0px;
                          margin-bottom:0px"> </p>
                        <div class="" style="margin-top:0px;
                          margin-bottom:0px">1) How the secret passed
                          from the server to the client?</div>
                        <div class="" style="margin-top:0px;
                          margin-bottom:0px">2) According to my
                          understanding it is shared secret (i.e. the
                          symmetric encryption).</div>
                        <p class="MsoNormal" style="margin-top:0px;
                          margin-bottom:0px"> </p>
                        <div class="" style="margin-top:0px;
                          margin-bottom:0px">Is it possible to use the
                          asymmetric encryption to enable the trust
                          between the openID client and the<span
                            class="rphighlightallclass"><span
                              class="Apple-converted-space"> </span>mitreid-connect</span><span
                            class="Apple-converted-space"> </span>server?</div>
                        <p class="MsoNormal" style="margin-top:0px;
                          margin-bottom:0px"> </p>
                        <div class="" style="margin-top:0px;
                          margin-bottom:0px">Thank you in advance for
                          your help.</div>
                        <p class="MsoNormal" style="margin-top:0px;
                          margin-bottom:0px"> </p>
                        <div class="" style="margin-top:0px;
                          margin-bottom:0px">Best regards,</div>
                        <div class="" style="margin-top:0px;
                          margin-bottom:0px"><span class="">  <span
                              class="Apple-converted-space"> </span></span>Michael</div>
                        <p class="MsoNormal" style="margin-top:0px;
                          margin-bottom:0px"> </p>
                      </div>
                      <br class="">
                    </div>
                    <span class="" style="font-family:Helvetica;
                      font-size:12px; font-style:normal;
                      font-weight:normal; letter-spacing:normal;
                      orphans:auto; text-align:start; text-indent:0px;
                      text-transform:none; white-space:normal;
                      widows:auto; word-spacing:0px; float:none;
                      display:inline!important">_______________________________________________</span><br
                      class="" style="font-family:Helvetica;
                      font-size:12px; font-style:normal;
                      font-weight:normal; letter-spacing:normal;
                      orphans:auto; text-align:start; text-indent:0px;
                      text-transform:none; white-space:normal;
                      widows:auto; word-spacing:0px">
                    <span class="" style="font-family:Helvetica;
                      font-size:12px; font-style:normal;
                      font-weight:normal; letter-spacing:normal;
                      orphans:auto; text-align:start; text-indent:0px;
                      text-transform:none; white-space:normal;
                      widows:auto; word-spacing:0px; float:none;
                      display:inline!important">mitreid-connect mailing
                      list</span><br class=""
                      style="font-family:Helvetica; font-size:12px;
                      font-style:normal; font-weight:normal;
                      letter-spacing:normal; orphans:auto;
                      text-align:start; text-indent:0px;
                      text-transform:none; white-space:normal;
                      widows:auto; word-spacing:0px">
                    <a moz-do-not-send="true"
                      href="mailto:mitreid-connect@mit.edu" class=""
                      style="font-family:Helvetica; font-size:12px;
                      font-style:normal; font-weight:normal;
                      letter-spacing:normal; orphans:auto;
                      text-align:start; text-indent:0px;
                      text-transform:none; white-space:normal;
                      widows:auto; word-spacing:0px">mitreid-connect@mit.edu</a><br
                      class="" style="font-family:Helvetica;
                      font-size:12px; font-style:normal;
                      font-weight:normal; letter-spacing:normal;
                      orphans:auto; text-align:start; text-indent:0px;
                      text-transform:none; white-space:normal;
                      widows:auto; word-spacing:0px">
                    <a moz-do-not-send="true"
                      href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect"
                      class="" style="font-family:Helvetica;
                      font-size:12px; font-style:normal;
                      font-weight:normal; letter-spacing:normal;
                      orphans:auto; text-align:start; text-indent:0px;
                      text-transform:none; white-space:normal;
                      widows:auto; word-spacing:0px">http://mailman.mit.edu/mailman/listinfo/mitreid-connect</a></div>
                </blockquote>
              </div>
              <br class="">
            </div>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
  </body>
</html>