Use the certificate fingerprint for the key id #1
Conversation
|
Would this be the correct thing to place in the If you want the I'd take a patch that includes the fingerprint in the |
|
Good points, I don't need the fingerprint itself so Re: caching, I was actually also going to work on a patch to set HTTP caching headers based on the file modify dates, cert dates, or maybe even just a hash of the certificate serial numbers. This would allow an application to cache all the certs until any of them were changed. Not sure if it is a common use-case to have a large number of keys published, this would be less optimal than caching on a date-based Thoughts? |
|
I'm all in favor of setting HTTP headers that help in caching. I'd lean in favor of modify dates on the files, rather than cert serial numbers. JWKS supports raw public keys, not just certs, which don't have a lot of the extraneous metadata, so it's best target the common properties (fs times in this case). |
|
Good point about naked keys. How would you feel about having an extensible provider system for providing the key and any metadata from some source. For example, a provider that enumerated files and provided the keys and file time metadata, and another for storing keys in a database. It would be much easier for us to manage the keys in Mongo or something vs. the filesystem. This would allow anyone to set up a provider however they'd like to provide the required key material and metadata. |
Bumped the version of forge to the latest which will calculate a pretty standard SHA1 fingerprint. Use this fingerprint as the
kidvalue. Just think it is a better identifier than exposing the disk filename.