csstaub
commented
3 years ago You need to be able to trust the keys you use for verification, that won’t work if you fetch them over HTTP. How do you know the keys haven’t changed during transmission?
Closed smartaquarius10 closed 3 years ago
csstaub
commented
3 years ago You need to be able to trust the keys you use for verification, that won’t work if you fetch them over HTTP. How do you know the keys haven’t changed during transmission?
smartaquarius10
commented
3 years ago @csstaub, Hmm. But then how go jose is verifying signature. From where is it fetching the key sets.
csstaub
commented
3 years ago Go JOSE assumes that you have a trusted key already available to verify with. Fetching keys from third parties is out of scope of the library. Generally, Public-Key Infrastructure (PKI) is used to distribute & authenticate public keys, such as in the form of certificates. If you're having trouble understanding the trust calculus of key distribution schemes I would recommend seeking professional advice from a qualified security engineer.
Team,
I have my key set(like kid, kty, use, crv RSA, EC etc.) exposed at http url at url: something.organization.com/az/JWKS. How to validate signature using these keysets with the help of go-jose package.
Does VerifySignature function handles internally or do we have to follow some other procedure. I would be grateful if anyone can share an example.
Thank you.