Abusing JWT public keys without the public key (opens in new tab)

(blog.silentsignal.eu)

2 pointsdnet5y ago2 comments

2 comments

2 comments · 1 top-level

outsomnia5y ago· 1 in thread

> The main lesson is: one should not rely on the secrecy of public keys

... that might be why they are called "public" keys

dnetOP5y ago

Yet we've had people argue that they wouldn't give us the public part of their JWT RSA signing keypair, because "they wouldn't publish that anyway", hence this post.

j / k navigate · click thread line to collapse