Anyia, stressed girl 🏳️‍⚧️ on Nostr: nprofile1q…ufle4 hang on, verification is done with the public key. But a server ...

nprofile1qy2hwumn8ghj7un9d3shjtnddaehgu3wwp6kyqpq7yf7cxzxz4kwf24zmflvyqqtrylsjwm5q9a074u5ger57rmzz0aq0ufle4 (nprofile…fle4) hang on, verification is done with the public key. But a server who wishes to trust an issuer of JWTs should have that public key pinned, not accept any random public key embedded within the JWT itself. In my (limited) experience, the expected public keys are kept in a server side store indexed by the key id. I can see a use case for the "jwu" field where a server might wish to trust a domain rather than individual keys, and being able to securely fetch the public key makes sense. Having the key delivered insecurely as part of the JWT itself makes no sense to me.