[Openid-specs-fapi] Issue #213: requirements on RSA/EC key sizes should apply to more situations (openid/fapi)
Freddi Gyara
Freddi.Gyara at openbanking.org.uk
Wed Jan 30 11:58:25 UTC 2019
Maybe, we should move this into the section that talks about algorithms and enhance it to include key lengths.
There is a general reference to the GPG for TLS - is there something similar we can reference for signing keys as well ?
-------- Original Message --------
From: Joseph Heenan via Openid-specs-fapi <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>>
Date: Mon, 28 Jan 2019, 15:26
To: "openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>" <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>>
CC: Joseph Heenan <issues-reply at bitbucket.org<mailto:issues-reply at bitbucket.org>>
Subject: [Openid-specs-fapi] Issue #213: requirements on RSA/EC key sizes should apply to more situations (openid/fapi)
New issue 213: requirements on RSA/EC key sizes should apply to more situations
https://bitbucket.org/openid/fapi/issues/213/requirements-on-rsa-ec-key-sizes-should
Joseph Heenan:
Part 1 says the authorization server:
- shall require a key of size 2048 bits or larger if RSA algorithms are used for the client authentication;
- shall require a key of size 160 bits or larger if elliptic curve algorithms are used for the client authentication;
I find it odd that I can't obviously find these requirements echoed for:
1) client keys in other cases (e.g. request object signing key used for oauth-mtls)
2) keys used by the AS (e.g. to sign the id_token)
_______________________________________________
Openid-specs-fapi mailing list
Openid-specs-fapi at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-fapi
Please consider the environment before printing this email.
This email is from Open Banking Limited, Company Number 10440081. Our registered and postal address is 2 Thomas More Square, London, E1W 1YN. Any views or opinions are solely those of the author and do not necessarily represent those of Open Banking Limited.
This email and any attachments are confidential and are intended for the above named only. They may also be legally privileged or covered by other legal rights and rules. Unauthorised dissemination or copying of this email and any attachments, and any use or disclosure of them, is strictly prohibited and may be illegal. If you have received them in error, please delete them and all copies from your system and notify the sender immediately by return email. You can also view our privacy policy (https://www.openbanking.org.uk/privacy-policy).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20190130/9a81388b/attachment.html>
More information about the Openid-specs-fapi
mailing list