Normative text within security considerations
Issue #702
resolved
The JWKS URIs section under security considerations has 3 normative requirements in it:
https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-6.3
any server providing a
jwks_uriendpoint
- shall only serve the
jwks_uriendpoint over TLS;- should not use the JOSE headers for
x5uandjku; and- should not serve a JWK set with multiple keys with the same
kid.
I think we had a policy against having normative requirements in the security considerations section?
Comments (8)
-
reporter
-
- For 6.4, it was proposed to move to subclause 5.4.
- For 6.3, probably the same place.
-
- changed status to open
-
Nat to ask the list for a volunteer to create a PR.
-
-
assigned issue to
Dave Tonge
-
assigned issue to
-
Dave will do it this week.
-
-
- changed status to resolved
PR Merged
- Log in to comment
- Assignee
- Type
- Priority
- Status
- resolved
- Component
- FAPI2: Security Profile
- Milestone
- –
- Votes
- 0
- Watchers
- 1
Section 6.4 also contains one normative looking requirement.