In March, Google's JWK file https://www.googleapis.com/oauth2/v2/certs (used for OpenID Connect) had 3 bugs: base64 instead of base64url; 1024-bit instead of >=2048-bit; leading zero byte on moduli. Today Google's JWK file has 1 different bug: the base64url encoding has a trailing "=". Salesforce's JWK file https://login.salesforce.com/id/keys has 1 bug: a leading zero byte on the RSA moduli.
Are these just teething problems, or do we need a stronger warning in the spec. These bugs also change the JWK's thumbprint (another reminder not to base security on thumbprints being unique for a given key). -- James Manger
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
