Details
-
Change Request
-
Resolution: Unresolved
-
Medium
-
US UDAP Security (FHIR)
-
current
-
Security
-
Home
-
1.2.3
Description
Section 1.2.3 requires two JOSE header fields, but is silent on whether other fields can be included. The underlying UDAP.org specs do show some examples where other fields are included, e.g. [x5u|https://www.udap.org/udap-dynamic-client-registration-stu1.html.] I think, given that most of the potential fields are just alternate ways to identify the signing key and that UDAP requires the consumer to use the key in x5c, most can be ignored. However, there may still be some alternate/error cases that would need to be tested, for example:
- The keys in multiple fields are inconsistent
- "typ" or "cty" are included
- "crit" is included, identifying an extension field that must be understood and processed. The RFC defines a negative test case that all consumers must pass.