Add a note about crypto-agility with JWT
This is explicity calling out how Fernet should be used to exercise crypto-agility in the event a security flaw is uncovered in the JWT/JWS/JWE specifications or implementations. At least until more algorithms are supported. Change-Id: I5338c64f3a592768f70e3a4254b7bfeeb101102b
This commit is contained in:
parent
c87a0230b3
commit
fd0b5e6a5a
|
@ -212,6 +212,9 @@ validating multiple blessed algorithms, allowing multiple tokens signed with
|
|||
different algorithms to be validated without require configuration changes
|
||||
except on the signing node.
|
||||
|
||||
For the time being, if a deployment is using JWTs and needs to exercise
|
||||
crypto-agility, it is recommended they convert to Fernet tokens.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
|
|
Loading…
Reference in New Issue