[Openid-specs-ab] Issue #1757: Historical Keys should show validaty status (openid/connect)
Mischa Salle
issues-reply at bitbucket.org
Wed Dec 21 11:49:58 UTC 2022
New issue 1757: Historical Keys should show validaty status
https://bitbucket.org/openid/connect/issues/1757/historical-keys-should-show-validaty
Mischa Salle:
Keys might have been rotated because the private key has leaked. That makes anything signed with that key untrustworthy. Hence I think it is probably good to distinguish between normal expiry and revocation and for the latter include the time of revocation.
In principle this could be done using expiry and the \`exp\` claim, but revoked keys can no longer reliably be used for anything unlike normally rotated and expired keys. The latter can in principle be used to confirm that a chain was valid before it’s expiry date.
See also e.g. [https://pki-tutorial.readthedocs.io/en/latest/cadb.html](https://pki-tutorial.readthedocs.io/en/latest/cadb.html) for OpenSSL’s index.txt format, which has a flag for valid, revoked and expired and a timestamp for revocation or expiration.
More information about the Openid-specs-ab
mailing list