1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. fapi
  4. Issues

JARM for signed authZ responses seems to allow MACs

Issue #605 invalid
Tim Würtele created an issue

FAPI 2.0 MS points to JARM to sign authorization responses. Maybe I’ve overlooked something, but it seems that neither FAPI 2.0 MS, nor JARM explicitly prohibit the use of symmetric signatures, i.e., MACs. That would of course defeat the whole idea of non-repudiation.

Comments (3)

  1. Joseph Heenan

    FAPI 2.0 MS requires the use of FAPI 2.0 SP, which at https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-5.4 says:

    1. Authorization Servers, Clients, and Resource Servers when creating or processing JWTs shall

      1. adhere to [RFC8725];
      2. use PS256, ES256, or EdDSA (using the Ed25519 subtype) algorithms; and
      3. not use or accept the none algorithm.

    I believe this means that symmetric signatures are prohibited, but if you can see a flaw in the logic here please let us know.

  2. Tim Würtele reporter

    Thanks for pointing that out, I agree that this excludes symmetric signatures. I was focused on FAPI 2.0 MS and JARM and missed that section when skimming FAPI 2.0 SP. Sorry for the trouble!

  4. Log in to comment
Assignee
Type
bug
Priority
major
Status
invalid
Component
FAPI2: Message Signing
Milestone
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!