[Openid-specs-fapi] Duplicate kids in jwks
bcampbell at pingidentity.com
Fri Jan 17 20:59:46 UTC 2020
For better or worse JOSE allowed for duplicate kids and Connect didn't
constrain it. So requiring uniqueness is a breaking change that an erratum
shouldn't be doing. I guess that counts as a negative opinion towards the
decision in https://bitbucket.org/openid/connect/issues/1127
On Fri, Jan 17, 2020 at 12:50 AM Joseph Heenan via Openid-specs-fapi <
openid-specs-fapi at lists.openid.net> wrote:
> Hi all,
> I wanted to direct the FAPI working group to this discussion within the
> Connect working group:
> Namely that duplicate kids are not permitted in JWKS.
> A test for this was recently added to all the conformance tests, which
> caused one of the UK banks to opine:
> it is valid for the JWK endpoint to return multiple KID instances, one for
> each ‘alg’ supported?
> The spec calls for the alg PS256 or longer to be supported, so we also
> have (for instance) PS384, PS512. And although we may show a couple that we
> don’t need, my point is that it must be valid to show multiple key entries
> to support multiple valid alg values.
> To some extent this seems a reasonable point, reusing a key across across
> two algs that can use the same key seems ok, and arguably perhaps better
> than having the key once without an ‘alg’ specified.
> As this affects the FAPI certification tests, I wanted to check the FAPI
> WG agrees with the decision in
> https://bitbucket.org/openid/connect/issues/1127 - any opinions (positive
> & negative) would be great please.
> Joseph Heenan
> OpenID Certification Team
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately
by e-mail and delete the message and any file attachments from your
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-fapi