Originally, when we were designing the implementation for a JWT
provider, we thought we would be able to use multiple signature
support in the JWS specification to allow tokens to have multiple
signatures. This would allow operators to specify multiple private
keys when rotating old/compromised keys off of a keystone server.
While that information is clearly documentedin the JWS specification:
https://tools.ietf.org/html/rfc7515#section-7
Support for signing tokens with multiple private keys doesn't exist
yet in the library we're consuming for JWT (PyJWT).
This commit updates the specification with those details and attempts
to preserve the context of why we're not taking a multi-signature
approach right now. I've opened an issue in the upstream library we
consume to track the discussion:
https://github.com/jpadilla/pyjwt/issues/390
bp json-web-tokens
Change-Id: I3c1d431241fab79d7c3feefeb978a977487e7bc0