PieterKas
commented
4 months ago +1 (Commenting as an identity enthusiast as opposed to WIMSE co-chair)
Open yaronf opened 4 months ago
PieterKas
commented
4 months ago +1 (Commenting as an identity enthusiast as opposed to WIMSE co-chair)
arndt-s
commented
3 months ago While I think it would be great to have this, I'm not sure this is practically do-able unless we limit 'cnf' to 'jwk' only. If kid is used the actual jwk is hosted somewhere else and implementers will have a hard time making sure 'alg' attribute is always present.
I believe this issue is valid for the DPoP-ish approach too, there the alg header in the JWT could technically differ from the 'cnf' claim.
bc-pi
commented
3 months ago limit 'cnf' to 'jwk' only
it is currently https://www.ietf.org/archive/id/draft-sheffer-wimse-s2s-protocol-00.html#section-4.1-2.2.2.5.1
The
algMessage Signature parameter is arguably a vulnerability waiting to happen, because verifiers would trust this field even though they lack context, similarly to the "none" issue with JWTs. IMO an algorithm should be strongly bound to a key. Can we make thealgfield mandatory within the JWK instead?