- changed status to open
requirements on RSA/EC key sizes should apply to more situations
Part 1 says the authorization server:
-
shall require a key of size 2048 bits or larger if RSA algorithms are used for the client authentication;
-
shall require a key of size 160 bits or larger if elliptic curve algorithms are used for the client authentication;
I find it odd that I can't obviously find these requirements echoed for:
1) client keys in other cases (e.g. request object signing key used for oauth-mtls)
2) keys used by the AS (e.g. to sign the id_token)
Comments (10)
-
-
-
assigned issue to
-
assigned issue to
-
reporter As someone (sorry, I forget who - it might have been Nat?) pointed out on the call this yesterday, https://tools.ietf.org/html/rfc7518#section-3.5 already requires this for PS256:
A key of size 2048 bits or larger MUST be used with this algorithm.
I can't find a similar statement about ES256 key sizes.
-
For ES256 the key size is fixed and comes from the use of the P-256 curve.
-
- changed status to closed
Merged in josephheenan/fapi/key-sizes (pull request #96)
FAPI-R: Widen restrictions on RSA/EC key sizes to all situations
Currently the key size requirements only apply to client authentication, but they should also apply to any use of keys, for example signing request objects and id_tokens. Reword the relevant clauses to cover everything.
(For RSA, we are only re-stating what's already in RFC7518.)
closes
#213Approved-by: Brian Campbell bcampbell@pingidentity.com Approved-by: Dave Tonge dave.tonge@bluespeckfinancial.co.uk
→ <<cset 5817376f036a>>
-
- changed component to Part 1: Baseline
-
- changed component to FAPI 1 - Part 1: Baseline
-
- changed component to FAPI 1 – Part 1: Baseline
-
- changed component to FAPI 1 – Baseline
-
- changed component to FAPI 1: Baseline
- Log in to comment