Move away from RSASSA-PKCS1-v1_5 using SHA-256 (RS256) as JWT default #1232
Labels
Subject: Ansible Playbook
Related to the maintenance and upkeep associated with an Ansible Playbook for Islandora. Always also
Comments
|
I've forked the ansible-role-keymaster to generate hmac keys here: It would be good to get some advice from the core contributors on whether this is the right place to be doing this kind of stuff and whether there are plans already in place on how to transition to JWT HMAC keys. |
kstapelfeldt
added
Subject: Ansible Playbook
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
http://future.islandora.ca/admin/config/system/jwt defaults to RSASSA-PKCS1-v1_5 using SHA-256 (RS256). Security review of an Islandora 8 instance pointed out that https://tools.ietf.org/html/rfc3447#page-28 says "RSASSA-PKCS1-v1_5 is included for compatibility with existing applications, and while still appropriate for new applications, a gradual transition to RSASSA-PSS is encouraged." Perhaps HMAC using SHA-512 (HS512) should be the default instead?
The text was updated successfully, but these errors were encountered: