I have a service that utilizes Key Id in JWE with a third party.
The "kid" (key ID) Header Parameter is a hint indicating which key
was used to secure the JWS. This parameter allows originators to
explicitly signal a change of key to recipients. The structure of
the "kid" value is unspecified. Its value MUST be a case-sensitive string. Use of this Header Parameter is OPTIONAL.
When used with a JWK, the "kid" value is used to match a JWK "kid" parameter value.
The third party service uses our sent kid as a key identifier to distinguish between multiple potential keys
(eg. If the kid value is 2, use the secondary key).
I'm not sure whether this claim can be used in a different way.
ASK:
- Can the Kid be set to a completely random value in some other services in JWE ?
If yes, how would the server understand what certificate to choose to decrypt with if it's completely random (eg. UUID)?
