Normative text within security considerations
Issue #702
resolved
The JWKS URIs section under security considerations has 3 normative requirements in it:
https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-6.3
any server providing a
jwks_uri
endpoint
- shall only serve the
jwks_uri
endpoint over TLS;- should not use the JOSE headers for
x5u
andjku
; and- should not serve a JWK set with multiple keys with the same
kid
.
I think we had a policy against having normative requirements in the security considerations section?
Comments (8)
-
reporter -
- For 6.4, it was proposed to move to subclause 5.4.
- For 6.3, probably the same place.
-
- changed status to open
-
Nat to ask the list for a volunteer to create a PR.
-
-
assigned issue to
-
assigned issue to
-
Dave will do it this week.
-
-
- changed status to resolved
PR Merged
- Log in to comment
Section 6.4 also contains one normative looking requirement.