-
assigned issue to
- changed milestone to Errata
Registration: Client jwks / jwks_uri must not contain private key material
The client registration spec should state explicitly that the client JWK set must not contain any private or secret keys. The OP must also reject such registration requests, to make the client developers aware of the leakage.
This can be stated in section 2 Client Metadata and in section 9 Security Considerations.
Proposed text:
2. Client Metadata
...
jwks_uri ... The JWK Set MUST contain public keys only.
...
9.2 Private and Secret Key Leakage
The Client's JSON Web Key Set [JWK] document, as specified by the jwks_uri and jwks Client Metadata values, MUST be validated by the Server to ensure no private or secret key material is present in it. If such validation of the JWK set fails the Server MUST reject the registration request with an appropriate error message to make the Relying Party aware of the key leakage.
I became aware of this problem in the OP cert tests, where the test RP tried to register itself with private key material in the "jwks" / "jwks_uri" parameter.
Comments (2)
-
-
- changed status to resolved
Fixed
#1007- jwks / jwks_uri must not contain private key material→ <<cset d39893a31217>>
- Log in to comment
This seems reasonable to do as part of an errata action. Mike will review and propose text.