[Openid-specs-fapi] Issue #213: requirements on RSA/EC key sizes should apply to more situations (openid/fapi)
Joseph Heenan
issues-reply at bitbucket.org
Mon Jan 28 15:25:59 UTC 2019
New issue 213: requirements on RSA/EC key sizes should apply to more situations
https://bitbucket.org/openid/fapi/issues/213/requirements-on-rsa-ec-key-sizes-should
Joseph Heenan:
Part 1 says the authorization server:
- shall require a key of size 2048 bits or larger if RSA algorithms are used for the client authentication;
- shall require a key of size 160 bits or larger if elliptic curve algorithms are used for the client authentication;
I find it odd that I can't obviously find these requirements echoed for:
1) client keys in other cases (e.g. request object signing key used for oauth-mtls)
2) keys used by the AS (e.g. to sign the id_token)
More information about the Openid-specs-fapi
mailing list