Hi, Could you take me off the cc please? Thanks.
Sent from my iPhone > On 13 Jul 2022, at 4:18 pm, Neil Madden <neil.mad...@forgerock.com> wrote: > > >> On 12 Jul 2022, at 20:26, Michael Richardson <mcr+i...@sandelman.ca> wrote: >> >> >> EXEC-SUM: /.well-known/jwks.json seems in use, but not registered >> with IANA. I don't know if it's appropriate for my use. >> Seems to contain RFC7517 content. > > A limitation of the JWKSet format is that it provides no way to designate > which keys in the set are intended for what function. For example if I have > some keys I use for signing OIDC id tokens and another set of keys I use for > signing software updates, there is no way to distinguish them if they are all > in a single JWKSet (unless those functions use different algorithms). It is > therefore wise to have distinct JWKSets published on distinct URIs for > distinct functionality. A single well-known jwks.json is putting all your > keys in one basket and will inevitably (IMO) lead to problems, maybe even > security issues. > > (I have seen some software use the “kid” to indicate purpose, but if you > support key rotation then you’ll end up with duplicate “kid” values, which > causes issues in some client software). > > — Neil _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
