JSON Spec Work continued

Issue/Topic: Public Key Certificates as JWT

Session: Thursday 1E

Convener: Mike Jones, Microsoft

Notes-taker(s): Breno de Medeiros

Tags:

If and how to represent public key certificates as JSON Web Tokens

Discussion notes:


 * Certificate installation a difficult and core technical obstacle in configuring security
 * Not all cases require PKI validation; motivation examples given by J. Panzer et. al., drove the proposal for the Magic Signatures specs
 * In the absence of PKI certificates, it's not possible to 'preserve' the security context around fetching the certificate
 * Is there a need to invent another type of JSON-based certificate? De we have a need for certificates in addition to bare keys
 * Why re-invent X.509? Create a JSON binding for the subset of KeyInfo from X.509 that is needed to advertise keys
 * After reviewing the KeyInfo, decided that the part of it of interest is trivially small and already described in competing proposals
 * Even a JWT is too complex, only need to create a simple descriptor for the key in JSON
 * Key_id needed

Decision: Go with simple approach Decision: Keep specs separate
 * Keep this mini-spec separate from JWT and cross-reference? Or include this in the expanded spec of JWT to include encryption?
 * Need to allow this to have a URL-safe representation such as compact JWT?