> On 12 Jul 2022, at 20:26, Michael Richardson <mcr+i...@sandelman.ca> wrote: > > > EXEC-SUM: /.well-known/jwks.json seems in use, but not registered > with IANA. I don't know if it's appropriate for my use. > Seems to contain RFC7517 content.
A limitation of the JWKSet format is that it provides no way to designate which keys in the set are intended for what function. For example if I have some keys I use for signing OIDC id tokens and another set of keys I use for signing software updates, there is no way to distinguish them if they are all in a single JWKSet (unless those functions use different algorithms). It is therefore wise to have distinct JWKSets published on distinct URIs for distinct functionality. A single well-known jwks.json is putting all your keys in one basket and will inevitably (IMO) lead to problems, maybe even security issues. (I have seen some software use the “kid” to indicate purpose, but if you support key rotation then you’ll end up with duplicate “kid” values, which causes issues in some client software). — Neil _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
