leastprivilege
commented
9 years ago Thanks. Did you test that with scenarios that use symmetric keys.
I can't remember why we did it that way and wonder if that has any side effects.
Closed rzontar closed 9 years ago
leastprivilege
commented
9 years ago Thanks. Did you test that with scenarios that use symmetric keys.
I can't remember why we did it that way and wonder if that has any side effects.
rzontar
commented
9 years ago This PR only addresses the X509CertificateReference signing key. Currently, the symmetric keys are not affected. For consistency it could be checked there also.
I believe the risk is higher with certificates, since they are stored only as a reference. Although unlikely, they could be removed from the store, thereby compromising the token infrastructure. To achieve the same effect with symmetric keys, someone would have to gain access to the database and set the value to null.
leastprivilege
commented
9 years ago thanks!
PR for #247