[Openid-specs-ab] Issue #1161: Key rotation should require a delay between publishing a key and starting to use it? (openid/connect)
torsten at lodderstedt.net
Mon Mar 23 11:29:09 UTC 2020
Thanks for the explanation.
> On 23. Mar 2020, at 09:54, Filip Skokan <panva.ip at gmail.com> wrote:
> So the WG questions
> • should we do something about that language to suggest that signature recipients may omit fetching external jwks_uri resources if they already did so recently?
Sounds reasonable to me. Is it feasible? I’m asking since I assume this requires a particular cashing strategy, which aligns with the test suite’s expectations.
> • should we extend the attestation statement to allow for other rotation tests to be attested to allow implementers to have mechanisms that protect their infrastructure.
More information about the Openid-specs-ab