laurencebgood
commented
2 years ago I don't know why they are doing that, and personally I would suggest they not, just to limit the damage if a private key leaks. But the short "why," is likely because they both use Cerner EHR and so I would guess this is what Cerner decided to do.
That said, I know of no requirement to use a unique key (and therefore unique kid). I'd suggest using the iss URL, which has been discussed as the preferred unique identifier for this directory, and in practice is what various apps are using to identify issuers. (A single iss URL can also include multiple keys in one jwks file. A single issuer may use multiple iss URLs; I think this is discouraged, but see also the addition of canonical_iss to this directory as an effort to rationalize that practice)
I'm working with a team to build some software that can read SMART health cards and extract vaccination status. Our current solution uses the KID value to look up the issuer (from the list here), and then from there we can decrypt the data. One weird thing we've noticed is that multiple Issuers are using the same KID value.
For example University of Alabama Hospital and University of Missouri Health Care. https://fhir-myrecord.cerner.com/r4/11e960ca-465e-403d-a8ac-dfa9be65dd83/.well-known/jwks.json https://fhir-myrecord.cerner.com/r4/Vo3nb7XNL_9G2kQXBPPW3-r0QcpkrCy7/.well-known/jwks.json.
These two Cerner hospital centers are using the same KID/X/Y. Why are we listing them separately? How would we be able to tell them apart if we are looking them up by KID?