I have a webapp that sends payloads to clients. I want to sign these payloads so the clients can verify they are from my application. I created a public/private key pair and now need to somehow distribute the public key in a way that the clients are sure it's mine.
From what I read there are two main ways to guarantee the authencity of the the public key - use a public certificate signed by CA or implement web of trust.
I am wondering if there is a problem with the following approach. The webapp has a domain name and website served under SSL/TLS with a certificate issued by a CA. Does it provide the same/similar level of authenicty guarantee as the PKI/WOT approaches if I publish the public key under a well-known url on this website?
I've seen something similar in the context of jwt/oauth used by the cloud providers (for example https://www.googleapis.com/oauth2/v1/certs) but not sure if it's a viable approach for public keys used for digital signatures.
http://dlvr.it/RzfNMb
G:7-Security (Cyber Security Research and Global Information Security Services)
No comments:
Post a Comment