antbrown
commented
4 years ago I've forked the ansible-role-keymaster to generate hmac keys here:
It would be good to get some advice from the core contributors on whether this is the right place to be doing this kind of stuff and whether there are plans already in place on how to transition to JWT HMAC keys.
http://future.islandora.ca/admin/config/system/jwt defaults to RSASSA-PKCS1-v1_5 using SHA-256 (RS256). Security review of an Islandora 8 instance pointed out that https://tools.ietf.org/html/rfc3447#page-28 says "RSASSA-PKCS1-v1_5 is included for compatibility with existing applications, and while still appropriate for new applications, a gradual transition to RSASSA-PSS is encouraged." Perhaps HMAC using SHA-512 (HS512) should be the default instead?