5.1 Security Considerations for Implementers
The Key Provisioning Protocol uses HTTPS as a transport. Using Secure Sockets Layer (SSL) server certificate verification ensures that the client is communicating with the real key provisioning server and closes any possible man-in-the-middle attacks.
The input message uses an JSON Web Token for both authentication and authorization. The key provisioning server must validate that the security token is signed by a trusted identity provider, is within the token validity period, and that the target audience of the token is the server.