On Fri, 2025-10-17 at 21:05 +0100, Neil Madden wrote: > I largely agree with this, but just wanted to mention that what matters is > the lifetime of the keys not the lifetime of the tokens. Of course, > short-lived tokens mean you can typically rotate your keys frequently too, > but that’s not always possible eg for keys embedded in hardware.
Yes, the lifetime of the keys matters of course (that is why I brought up CA keys in LAMPS), but what matters most is if the signature needs to be trusted for a long time, or is more of a one time (or limited time) authentication use. JWTs of JWSs are generally used in online protocols, and authenticate messages whose relevance is generally limited in time, and generally allow the user to obtain a new token to revalidate access at any time. That allows operators to relatively quickly perform key migrations because you do not need to retain access to old keys and messages. I am not aware of use cases where you use JWTs or JWSs in HW. For things like HW firmware you would use something like LMS or the new SLH-DSA modes NIST is considering that are somewhat computationally cheaper. That said I know of some large vendors that are going pure ML-DSA, and none that are considering composite or even dual signatures. If there is some convincing use case where JWTs or JWSs are used in a way where long term protection is necessary I would really like to know and would be open to completely reconsider this position. -- Simo Sorce Distinguished Engineer RHEL Crypto Team Red Hat, Inc _______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
