[Openid-specs-fapi] Issue #213: requirements on RSA/EC key sizes should apply to more situations (openid/fapi)

Joseph Heenan issues-reply at bitbucket.org
Mon Jan 28 15:25:59 UTC 2019


New issue 213: requirements on RSA/EC key sizes should apply to more situations
https://bitbucket.org/openid/fapi/issues/213/requirements-on-rsa-ec-key-sizes-should

Joseph Heenan:

Part 1 says the authorization server:

- shall require a key of size 2048 bits or larger if RSA algorithms are used for the client authentication;

- shall require a key of size 160 bits or larger if elliptic curve algorithms are used for the client authentication;

I find it odd that I can't obviously find these requirements echoed for:

1) client keys in other cases (e.g. request object signing key used for oauth-mtls)

2) keys used by the AS (e.g.  to sign the id_token)




More information about the Openid-specs-fapi mailing list