Abusing JWT public keys without the public key

Abusing JWT public keys without the public key(blog.silentsignal.eu)

2 points by dnet 5 years ago | 2 comments

outsomnia 5 years ago |

> The main lesson is: one should not rely on the secrecy of public keys

... that might be why they are called "public" keys

dnet 5 years ago | |

Yet we've had people argue that they wouldn't give us the public part of their JWT RSA signing keypair, because "they wouldn't publish that anyway", hence this post.

outsomnia 5 years ago |

> The main lesson is: one should not rely on the secrecy of public keys

... that might be why they are called "public" keys

dnet 5 years ago | |

Yet we've had people argue that they wouldn't give us the public part of their JWT RSA signing keypair, because "they wouldn't publish that anyway", hence this post.