We probably could have benefited from language in the spec calling out the leading zero byte as an area of concern. That said our ecosystem detected it pretty quickly and after some collaborate with Microsoft, we have a fix due out this week, so the growing pains are sorting themselves out rather quickly.
-cmort On Mon, Aug 25, 2014 at 11:49 PM, Manger, James < [email protected]> wrote: > In March, Google’s JWK file https://www.googleapis.com/oauth2/v2/certs > (used for OpenID Connect) had 3 bugs: base64 instead of base64url; 1024-bit > instead of >=2048-bit; leading zero byte on moduli. > > Today Google’s JWK file has 1 different bug: the base64url encoding has a > trailing “=”. > > Salesforce’s JWK file https://login.salesforce.com/id/keys has 1 bug: a > leading zero byte on the RSA moduli. > > > > Are these just teething problems, or do we need a stronger warning in the > spec. These bugs also change the JWK’s thumbprint (another reminder not to > base security on thumbprints being unique for a given key). > > > > -- > > James Manger > > >
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
