[Openid-specs-fapi] Issue #702: Normative text within security considerations (openid/fapi)
josephheenan
issues-reply at bitbucket.org
Wed Jun 26 08:09:41 UTC 2024
New issue 702: Normative text within security considerations
https://bitbucket.org/openid/fapi/issues/702/normative-text-within-security
Joseph Heenan:
The JWKS URIs section under security considerations has 3 normative requirements in it:
[https://openid.bitbucket.io/fapi/fapi-2\_0-security-profile.html#section-6.3](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-6.3)
> any server providing a `jwks_uri` endpoint
>
> 1. shall only serve the `jwks_uri` endpoint over TLS;
> 2. should not use the JOSE headers for `x5u` and `jku`; and
> 3. should not serve a JWK set with multiple keys with the same `kid`.
>
I think we had a policy against having normative requirements in the security considerations section?
More information about the Openid-specs-fapi
mailing list