oauth2.dev

x5u

IESG

Registry Context

The `x5u` JWK parameter is a URI pointing to an X.509 certificate or certificate chain. The resource must provide PEM-encoded, RFC 5280-conformant certificate data. Its first certificate must contain the same public key as the JWK, and retrieval must provide integrity protection.

Technical Summary

RFC 7517 Section 4.6 defines `x5u` as a URI referring to an X.509 public key certificate or certificate chain. The resource representation must conform to RFC 5280 and use PEM encoding with RFC 4945 certificate delimiters. HTTP GET retrieval must use TLS, with server identity validated according to RFC 6125 Section 6. Other JWK members, including `use` and `alg` when present, must be semantically consistent with the first certificate.

When Used

When a JWK identifies certificate material through a URI.

Normative Requirements

Requests

MUST
1
  1. RFC 7517 - Section 4.6

    use TLS.

    An HTTP GET request to retrieve the certificate MUST use TLS.

Other JWK members present alongside `x5u`

MUST
1
  1. RFC 7517 - Section 4.6

    be semantically consistent with related fields in the first certificate.

    Condition: When other members are present

    The contents of other present members MUST be semantically consistent with related fields in the first certificate.

The `alg` member

MUST
1
  1. RFC 7517 - Section 4.6

    correspond to the algorithm specified in the certificate.

    Condition: When `alg` is present

    If the "alg" member is present, it MUST correspond to the algorithm specified in the certificate.

The `use` member

MUST
1
  1. RFC 7517 - Section 4.6

    correspond to the usage specified in the certificate.

    Condition: When `use` is present and the certificate includes usage information

    If the "use" member is present, it MUST correspond to the usage specified in the certificate, when included.

The `x5u` member

OPTIONAL
1
  1. RFC 7517 - Section 4.6

    be used.

    Use of this member is OPTIONAL.

The identified resource

MUST
1
  1. RFC 7517 - Section 4.6

    provide an RFC 5280-conformant representation of the certificate or certificate chain in PEM-encoded form, with each certificate delimited as specified in RFC 4945 Section 6.1.

    Condition: When identified by the `x5u` parameter

    The identified resource MUST provide an RFC 5280-conformant certificate or certificate-chain representation in PEM-encoded form.

The key in the first certificate

MUST
1
  1. RFC 7517 - Section 4.6

    match the public key represented by other members of the JWK.

    The key in the first certificate MUST match the public key represented by other members of the JWK.

The protocol used to acquire the resource

MUST
1
  1. RFC 7517 - Section 4.6

    provide integrity protection.

    The protocol used to acquire the resource MUST provide integrity protection.

The resource-retrieving implementation

MUST
1
  1. RFC 7517 - Section 4.6

    validate the identity of the server according to RFC 6125 Section 6.

    Condition: When retrieving the certificate using TLS

    The identity of the server MUST be validated, as per Section 6 of RFC 6125.

Validation Guidance

error

Verify that `x5u` is a URI referring to an X.509 public key certificate or certificate chain.

error

Verify that the retrieved resource is an RFC 5280-conformant certificate or certificate chain in PEM-encoded form using the required certificate delimiters.

error

Verify that the public key in the first certificate matches the public key represented by the JWK.

error

Require an integrity-protected retrieval protocol. For HTTP GET retrieval, require TLS and validate the server identity according to RFC 6125 Section 6.

error

Verify that all other present JWK members are semantically consistent with related fields in the first certificate.

error

If `use` is present and the certificate contains usage information, verify that the values correspond.

error

If `alg` is present, verify that it corresponds to the algorithm specified in the certificate.

Security Notes

RFC 7517 - Section 4.6

The acquisition protocol must provide integrity protection. HTTP GET retrieval must use TLS, and the server identity must be validated according to RFC 6125 Section 6.

RFC 7517 - Section 4.6

The public key in the first certificate must match the public key represented by the other JWK members.

Reference

Details

Entry Id
x5u
Parameter Name
x5u
Parameter Description
X.509 URL
Used With Kty Value
*
Parameter Information Class
Public
Change Controller
IESG
Reference
RFC7517 - Section 4.6