[Openid-specs-ab] Issue #1161: Key rotation should require a delay between publishing a key and starting to use it? (openid/connect)

Torsten Lodderstedt torsten at lodderstedt.net
Mon Mar 23 11:29:09 UTC 2020


Thanks for the explanation. 

> On 23. Mar 2020, at 09:54, Filip Skokan <panva.ip at gmail.com> wrote:
> 
> So the WG questions
> 	• should we do something about that language to suggest that signature recipients may omit fetching external jwks_uri resources if they already did so recently?

Sounds reasonable to me. Is it feasible? I’m asking since I assume this requires a particular cashing strategy, which aligns with the test suite’s expectations. 

> 	• should we extend the attestation statement to allow for other rotation tests to be attested to allow implementers to have mechanisms that protect their infrastructure.
> 



More information about the Openid-specs-ab mailing list