JARM for signed authZ responses seems to allow MACs
Issue #605
invalid
FAPI 2.0 MS points to JARM to sign authorization responses. Maybe I’ve overlooked something, but it seems that neither FAPI 2.0 MS, nor JARM explicitly prohibit the use of symmetric signatures, i.e., MACs. That would of course defeat the whole idea of non-repudiation.
Comments (3)
-
-
reporter Thanks for pointing that out, I agree that this excludes symmetric signatures. I was focused on FAPI 2.0 MS and JARM and missed that section when skimming FAPI 2.0 SP. Sorry for the trouble!
-
reporter - changed status to invalid
- Log in to comment
FAPI 2.0 MS requires the use of FAPI 2.0 SP, which at https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-5.4 says:
Authorization Servers, Clients, and Resource Servers when creating or processing JWTs shall
PS256
,ES256
, orEdDSA
(using theEd25519
subtype) algorithms; andnone
algorithm.
I believe this means that symmetric signatures are prohibited, but if you can see a flaw in the logic here please let us know.