[Openid-specs-fapi] Issue #208: Part 2 should limit allowed JWE algorithms (openid/fapi)

Joseph Heenan issues-reply at bitbucket.org
Wed Jan 9 10:42:37 UTC 2019


New issue 208: Part 2 should limit allowed JWE algorithms
https://bitbucket.org/openid/fapi/issues/208/part-2-should-limit-allowed-jwe-algorithms

Joseph Heenan:

The current spec says:

> JWS algorithm considerations
>
> Both clients and authorisation servers:
>
> shall use PS256 or ES256 algorithms;
> should not use algorithms that use RSASSA-PKCS1-v1_5 (e.g. RS256);
> shall not use none;

I think it's an oversight that this says "JWS" at the start. I think It was intended to cover JWE too. Simplest fix is to tweak the section title to say "JWS/JWE considerations".




More information about the Openid-specs-fapi mailing list