[Openid-specs-ab] Issue #1161: Key rotation should require a delay between publishing a key and starting to use it? (openid/connect)

Vladimir Dzhuvinov vladimir at connect2id.com
Mon Mar 23 22:17:59 UTC 2020

Hi Filip,

On 23/03/2020 10:54, Filip Skokan via Openid-specs-ab wrote:
>  1. should we do something about that language to suggest that
>     signature recipients may omit fetching external jwks_uri resources
>     if they already did so recently?
>  2. should we extend the attestation statement
>     <https://openid.net/wordpress-content/uploads/2015/04/OpenID-Certification-Attestation-Statement.pdf> to
>     allow for other rotation tests to be attested to allow
>     implementers to have mechanisms that protect their infrastructure.
What is your own take on this?


Vladimir Dzhuvinov

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200324/e742b136/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4007 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200324/e742b136/attachment.p7s>

More information about the Openid-specs-ab mailing list