[Openid-specs-ab] Issue #2140: [Federation] Historical Keys Response: Reason_code: Define own keywords, remove X.509 CRL (RFC 5280) dependency (openid/connect)
Vladimir Dzhuvinov
issues-reply at bitbucket.org
Thu Apr 4 19:07:54 UTC 2024
New issue 2140: [Federation] Historical Keys Response: Reason_code: Define own keywords, remove X.509 CRL (RFC 5280) dependency
https://bitbucket.org/openid/connect/issues/2140/federation-historical-keys-response
Vladimir Dzhuvinov:
The historical keys response JWT uses reason\_code values from the X.509 CRL spec.
[https://openid.bitbucket.io/connect/openid-federation-1\_0.html#name-federation-historical-keys-res](https://openid.bitbucket.io/connect/openid-federation-1_0.html#name-federation-historical-keys-res)
CRL reason codes:
[https://www.rfc-editor.org/rfc/rfc5280.html#section-5.3.1](https://www.rfc-editor.org/rfc/rfc5280.html#section-5.3.1)
```
CRLReason ::= ENUMERATED {
unspecified (0),
keyCompromise (1),
cACompromise (2),
affiliationChanged (3),
superseded (4),
cessationOfOperation (5),
certificateHold (6),
-- value 7 is not used
removeFromCRL (8),
privilegeWithdrawn (9),
aACompromise (10) }
```
Reuse is generally a good thing, however some of these codes may end up confusing implementers and developers because they don’t map to JWK and OpenID Federation concepts. For example, `caCompromise` , `certificateHold`, `removeFromCRL`.
More information about the Openid-specs-ab
mailing list