Archived 2023.09.09. Refer to the Consumer Data Standards, Software Statement Assertion
Under CDR Register: Dynamic Client Registration the signing algorithm used by the CDR Register is specified as PS256.
- Will the register support ES256 and sign the SSA using ES256 instead of PS256 if the preferred algorithm is ES256, nominated via OIDC endpoints?
- Is it required for a Data Holder to support both ES256 AND PS256? As per FAPI-RW - For JWS, both client and Auth servers can use PS256 OR ES256
- No. The CDR Register will only be using PS256 to sign the SSA. There is no planned work to provide options on the SSA signing algorithm used.
- The CDR Register has chosen to use PS256 as the signing algorithm, conforming to FAPI-RW Section 8.6. The result of this is that your registration server will need to be able to check the signature of the PS256 signed SSA. How you choose to sign your own JWTs is up to you as long as you conform to the CDS.
- Data recipients have the choice to choose the signing algorithm they use when interacting with data holders. Data holders must therefore support all signing algorithms as specified in FAPI-RW Section 8.6.