metadata.federation_entity.jwks equal to federation entity keys? #140
Comments
|
Implementations might include jwks in federation_metadata for specific purposes even if this would not make any sense, as in a jwt header parameter I can configure the iat claim and it will be simply ignored. The current draft specifies that federation entity keys must be at the top level of the JWT payload, while metadata-specific keys belong within each specific metadata section. The draft implicitly allows jwks in federation_entity to provide flexibility for future or unknown claims without predefining their usage. Despite the presence of jwks in federation metadata, the draft does not define a concrete approach for their use within the specification's scope. All cryptographic operations related to trust evaluation rely solely on the federation entity keys, jwks in federation entity metadata are therefore ignored. |
|
We should indicate in the draft that Federation Entity Keys occur at the top level of the Entity Statement and not in the Federation Entity metadata, to prevent any confusion. |
The specification defines the "federation entity keys" as the keys used for the trust mechanisms in oid-fed and that those are published in the entity configuration in the
jwksclaim (as well as in entity statements issued by superiors).There is also the
metadata.federation_entity.jwksclaim.This claim is not defined specifically for the
federation_entityentity type, but is a common claim that can be used with all entity types, where section 5.2.1 states "Note that these keys are distinct from the Federation Entity Keys used to sign Entity Statements." which is obviously true for all entity types except federation_entity. It's unclear to me if forfederation_entitythe jwks there MAY/SHOULD/MUST/MUST NOT be equivalent to the federation entity keys from the entity configuration.My assumption would be that if
metadata.federation_entity.jwksis not omited in an entity statement / configuration is MUST be equal to thejwksclaim. However, the note in 5.2.1 suggests the opposite. I think a note clearing this up would make sense.The text was updated successfully, but these errors were encountered: