From fd0b5e6a5aa91438c9604afc0f91d71d81ed0ef8 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Tue, 4 Dec 2018 18:36:24 +0000 Subject: [PATCH] Add a note about crypto-agility with JWT This is explicity calling out how Fernet should be used to exercise crypto-agility in the event a security flaw is uncovered in the JWT/JWS/JWE specifications or implementations. At least until more algorithms are supported. Change-Id: I5338c64f3a592768f70e3a4254b7bfeeb101102b --- specs/keystone/stein/json-web-tokens.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/specs/keystone/stein/json-web-tokens.rst b/specs/keystone/stein/json-web-tokens.rst index 16cb56bc..77513892 100644 --- a/specs/keystone/stein/json-web-tokens.rst +++ b/specs/keystone/stein/json-web-tokens.rst @@ -212,6 +212,9 @@ validating multiple blessed algorithms, allowing multiple tokens signed with different algorithms to be validated without require configuration changes except on the signing node. +For the time being, if a deployment is using JWTs and needs to exercise +crypto-agility, it is recommended they convert to Fernet tokens. + Alternatives ------------