[Openid-specs-ab] Issue #1174: Federation: 126.96.36.199.1. The OP Constructing the Response - Clarify which keys need to be preserved to facilitate roll-over (openid/connect)
issues-reply at bitbucket.org
Mon Jun 8 06:48:40 UTC 2020
New issue 1174: Federation: 188.8.131.52.1. The OP Constructing the Response - Clarify which keys need to be preserved to facilitate roll-over
> At this point, if there already exists a client registration under the same entity identifier then that registration MUST be regarded as invalid. **Note that key material from the previous registration MUST be kept to make key rollover possible.**
Is this the entity JWK set or the JWK set referenced by the client metadata \( `jwks_uri` or `jwks`\)?
1. If it’s the entity statement JWK set we don’t quite understand why these will need to be kept after an update.
2. As for the jwks\_uri / jwks, the roll-over is managed by the RP / client, by simply keeping the old keys in the set, until no longer used.
If some roll-over needs to happen re 1 \(entity statement JWK set\) then this could also be managed by the client, thus making the requirement for the OP redundant.
More information about the Openid-specs-ab