From 68c6fc148805e3c52ba48be4aa656720479e0fad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20M=C3=A9lan=C3=A7on?= <jmelancon@genetec.com>
Date: Wed, 28 Jan 2026 14:40:40 -0500
Subject: [PATCH 1/2] Add kid header requirement for private_key_jwt

---
 doc/Security.xml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/doc/Security.xml b/doc/Security.xml
index cfd8c6535..1cf90c609 100644
--- a/doc/Security.xml
+++ b/doc/Security.xml
@@ -1357,7 +1357,8 @@
         <para>A device signaling support for self_signed_tls_client_auth shall signal support for
           SelfSignedCertificateCreation.</para>
         <para>A device signaling support for private_key_jwt shall signal support for
-          KeyPairGeneration for ECC keys.</para>
+          KeyPairGeneration for ECC keys. The <literal>KeyId</literal> specified in the configuration shall 
+          also be included as the `kid` header field of the JWT assertion.</para>
       </section>
     </section>
   </chapter>

From 59f69106806cea7d78ca06e5603eee158b7eec90 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20M=C3=A9lan=C3=A7on?= <jmelancon@genetec.com>
Date: Mon, 16 Feb 2026 09:44:18 -0500
Subject: [PATCH 2/2] Move statement & more clearly refer to the OpenId terms &
 specs

---
 doc/Security.xml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/doc/Security.xml b/doc/Security.xml
index 1cf90c609..3d3231845 100644
--- a/doc/Security.xml
+++ b/doc/Security.xml
@@ -297,6 +297,10 @@
       >http://www.ietf.org/rfc/rfc6750.txt</link>&gt;</para>
     <para>RFC 7292 - PKCS #12: Personal Information Exchange Syntax v1.1</para>
     <para>&lt;<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://datatracker.ietf.org/doc/html/rfc7292"/>&gt;</para>
+    <para>IETF RFC 7515 JSON Web Signature (JWS)</para>
+    <para>&lt;<link xmlns:xlink="http://www.w3.org/1999/xlink"
+        xlink:href="http://www.ietf.org/rfc/rfc7515.txt"
+      >http://www.ietf.org/rfc/rfc7515.txt</link>&gt;</para>
     <para>IETF RFC 7517 JSON Web Key (JWK)</para>
     <para>&lt;<link xmlns:xlink="http://www.w3.org/1999/xlink"
         xlink:href="http://www.ietf.org/rfc/rfc7517.txt"
@@ -1357,8 +1361,7 @@
         <para>A device signaling support for self_signed_tls_client_auth shall signal support for
           SelfSignedCertificateCreation.</para>
         <para>A device signaling support for private_key_jwt shall signal support for
-          KeyPairGeneration for ECC keys. The <literal>KeyId</literal> specified in the configuration shall 
-          also be included as the `kid` header field of the JWT assertion.</para>
+          KeyPairGeneration for ECC keys.</para>
       </section>
     </section>
   </chapter>
@@ -4597,6 +4600,9 @@
         <title>SetAuthorizationServerConfiguration</title>
         <para>This operation modifies an existing authorization server configuration. The device
           shall support this command if MaxConfigurations capability is greater than zero.</para>
+        <para>When the <literal>KeyID</literal> value of the configuration is set, the device shall
+          include that value in the <literal>kid</literal> header field of the client assertion defined
+          in RFC 7515 Section 4.1.4.</para>
         <variablelist role="op">
           <varlistentry>
             <term>request</term>