This was discussed on the list a while ago, and the thought was that you could easily use the JWK thumbprint *as* the “kid” value instead of defining a new field for this use case. The header values are protected by the signature in the normal (compact) JWS/JWE formats, and ought to be protected in the JSON representations too for exactly the reasons you’re talking about.
— Justin > On Jul 19, 2016, at 10:48 AM, Nathaniel McCallum <[email protected]> > wrote: > > The JWS and JWE specs defined the "kid" header value that can be used > to identify the key used for signing or encryption. Subsequently, the > JWK thumbprint method was defined. > > Has anyone put any thought into registering a header value for JWS and > JWE headers that indicates the thumbprint of the key used for signing > or encryption? This would be very helpful for key indexes especially > when using unprotected headers since the value of "kid" might be > modified. > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
