Is it worthwhile for us to specify non-goals and features we will not consider for inclusion?
For example: At the top of the list is something analogous to JWT's jku claim. This can have a devastating impact on security, as Ryan Sleevi points out with OIDC-Discovery. We're generally better off leaving a jku equivalent out of PASETO entirely.
(What we may do instead is write a future PASETO extension that piggybacks on Gossamer to distribute public keys in an auditable and transparent way.)
Is it worthwhile for us to specify non-goals and features we will not consider for inclusion?
For example: At the top of the list is something analogous to JWT's
jku
claim. This can have a devastating impact on security, as Ryan Sleevi points out with OIDC-Discovery. We're generally better off leaving ajku
equivalent out of PASETO entirely.(What we may do instead is write a future PASETO extension that piggybacks on Gossamer to distribute public keys in an auditable and transparent way.)