Has there been any talk about using a prefix to specify the hash algo? On Tue, 2016-07-19 at 11:24 -0400, Justin Richer wrote: > This was discussed on the list a while ago, and the thought was that > you could easily use the JWK thumbprint *as* the “kid” value instead > of defining a new field for this use case. The header values are > protected by the signature in the normal (compact) JWS/JWE formats, > and ought to be protected in the JSON representations too for exactly > the reasons you’re talking about. > > — Justin > > > > > On Jul 19, 2016, at 10:48 AM, Nathaniel McCallum <npmccallum@redhat > > .com> wrote: > > > > The JWS and JWE specs defined the "kid" header value that can be > > used > > to identify the key used for signing or encryption. Subsequently, > > the > > JWK thumbprint method was defined. > > > > Has anyone put any thought into registering a header value for JWS > > and > > JWE headers that indicates the thumbprint of the key used for > > signing > > or encryption? This would be very helpful for key indexes > > especially > > when using unprotected headers since the value of "kid" might be > > modified. > > > > _______________________________________________ > > jose mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/jose >
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
