[Openid-specs-ab] Signed/encrypted aggregated and/or distributed claims and asymmetric keys

Roland Hedberg roland.hedberg at adm.umu.se
Tue Feb 14 09:05:49 UTC 2012


I'm looking at implementing support for aggregated and/or distributed claims and I have a problem with the key distribution.

When a RP is communicating with an OP the RP can get all information it needs about the keys the OP uses using discovery.

Doing aggregated claims there is not necessarily any communication between the client and the claims provider.
The claims provider might not even be accessible on the Internet.
Hence no means by which the client can find out which keys the claims provider uses.

The same goes for distributed claims even though since the client actually talks to the claims provider to get at the claims it is conceivable that the client could do dynamic discovery like with any other OP it will talk to.

I can't find anything about this in the documents. 
Am I missing something or is it just undefined !

-- Roland

More information about the Openid-specs-ab mailing list