The draft doesn’t specify which hash function is being used. I assume it is SHA-256, but it should either say that is the only algorithm allowed or perhaps encode the hash algorithm into the URI. Otherwise the value is ambiguous.
Using a (hash of a) public key as an identifier is an idea that has historically been subject to various attacks such as unknown key share attacks, as well as issues due to malleable signature schemes or key exchange schemes - where the same proof of identity is valid under many public keys. The security considerations should mention these issues, and potential suggest countermeasures (eg including the full public key JWK in the input to be signed etc). — Neil > On 2 Feb 2022, at 12:19, Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com> wrote: > > > All, > > The JWK Thumbprint URI document is a simple and straightforward specification. > > This is a WG Last Call for this document: > https://www.ietf.org/archive/id/draft-ietf-oauth-jwk-thumbprint-uri-00.html > > Please, provide your feedback on the mailing list by Feb 16th. > > Regards, > Rifaat & Hannes > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
