Hi, I am trying to reconcile the security guidance provided by RFC 7517 and RFC 8725. My question is how to validate a key received from a JWKS endpoint if it contains a "x5c" parameter. In RFC 8725, section 3.8 it states: https://www.rfc-editor.org/rfc/rfc8725.html#name-validate-issuer-and-subject
"When a JWT contains an "iss" (issuer) claim, the application MUST validate that the cryptographic keys used for the cryptographic operations in the JWT belong to the issuer. If they do not, the application MUST reject the JWT. The means of determining the keys owned by an issuer is application-specific. As one example, OpenID Connect [OpenID.Core] issuer values are "https" URLs that reference a JSON metadata document that contains a "jwks_uri" value that is an "https" URL from which the issuer's keys are retrieved as a JWK Set [RFC7517]. This same mechanism is used by [RFC8414]. Other applications may use different means of binding keys to issuers." However, RFC 7517, section 9.1 states: https://tools.ietf.org/html/rfc7517#section-9 "For instance, the creator of a JWK can include a PKIX certificate in the JWK's "x5c" member. If the application validates the certificate and verifies that the JWK corresponds to the subject public key in the certificate, then the JWK can be associated with the attributes in the certificate, such as the subject name, subject alternative names, extended key usages, and its signature chain." My confusion is due to the fact that there are two certificates that are in play here: - Certificate A: used to secure the TLS connection for the JWKS endpoint - Certificate B: used within the "x5c" attribute of the key within JWKS The two examples in RFC 8725 seem to imply that it is sufficient to validate the subject name of "certificate A" against the "jwks_uri" then trust the key material. However, in RFC 7517, it seems that "certificate B" needs to be validated as well but it doesn't say how to verify that "the JWK corresponds to the subject public key in the certificate". Thank you _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
