Add a note about crypto-agility with JWT

This is explicity calling out how Fernet should be used to
exercise crypto-agility in the event a security flaw is uncovered
in the JWT/JWS/JWE specifications or implementations. At least until
more algorithms are supported.

Change-Id: I5338c64f3a592768f70e3a4254b7bfeeb101102b
This commit is contained in:
Lance Bragstad 2018-12-04 18:36:24 +00:00
parent c87a0230b3
commit fd0b5e6a5a
1 changed files with 3 additions and 0 deletions

View File

@ -212,6 +212,9 @@ validating multiple blessed algorithms, allowing multiple tokens signed with
different algorithms to be validated without require configuration changes
except on the signing node.
For the time being, if a deployment is using JWTs and needs to exercise
crypto-agility, it is recommended they convert to Fernet tokens.
Alternatives
------------