We have multiple JWKS keys, but just one key with the PS256 algorithm. The
kid associated with this key is shared with other keys with different algorithms. Is this compliant?
No, sharing a
kid among multiple keys is not compliant.
CDS, Security Endpoints, JWKS URIS, states the following:
- Data Holders and Data Recipients JWK sets MUST NOT contain multiple keys with the same "kid"
kid value MUST be unique for each key in a set. The intent here is to avoid complexity for Accredite Data Recipients (ADRs) searching for keys which might otherwise be based on a Data Holder's bespoke implementation. ADRs can simply filter on
kid to find the key they require.