Originally submitted by SECtim (Tim Würtele) on 2023-06-13
FAPI 2.0 MS points to JARM to sign authorization responses. Maybe I’ve overlooked something, but it seems that neither FAPI 2.0 MS, nor JARM explicitly prohibit the use of symmetric signatures, i.e., MACs. That would of course defeat the whole idea of non-repudiation.
Bitbucket status: invalid
Bitbucket origin: issue 605
FAPI 2.0 MS points to JARM to sign authorization responses. Maybe I’ve overlooked something, but it seems that neither FAPI 2.0 MS, nor JARM explicitly prohibit the use of symmetric signatures, i.e., MACs. That would of course defeat the whole idea of non-repudiation.
Bitbucket status: invalid
Bitbucket origin: issue 605