[Openid-specs-ab] JWA support

Roland Hedberg roland.hedberg at adm.umu.se
Wed Sep 26 18:19:42 UTC 2012

26 sep 2012 kl. 20:06 skrev Mike Jones <Michael.Jones at microsoft.com>:

> Looking at http://openid.net/specs/openid-connect-messages-1_0.html#sigenc, I agree that the treatment of advertising supported algorithms is currently inconsistent.  The client has fine-grained control with the parameters
> 	{userinfo,id_token}_signed_response_alg and {userinfo,id_token}_encrypted_response_{alg,enc,int}
> whereas the server jumbles the types of algorithms together with the parameters
> 	{userinfo,id_token,request_object,token_endpoint}_algs_supported.
> I believe that we should give the server the same degree of control as the client.  I would propose these new server parameter names:
> 	{userinfo,id_token,request_object,token_endpoint}_signing_alg_values_supported
> 	{userinfo,id_token,request_object,token_endpoint}_encryption_{alg,enc}_values_supported
> Do people agree with that proposal?

I do.

> Notice that I didn't include an "int_values_supported" option.  That's because in the JOSE drafts to be published shortly, the "int" and "kdf" parameters are going away, with the "enc" value representing AEAD algorithms such as "A128CBC+HS256", "A256CBC+HS512", "A128GCM", and "A256GCM" (with combinations such as "A128CBC+HS256" used when the base block encryption algorithm is not already AEAD).
> I don't propose to change the Connect spec until the JOSE changes are published, but I'll plan to do so at that time.  Until then, we can do interop on the current specs.  But implementers should be aware of the upcoming changes.


-- Roland
Roland Hedberg
IT Architect/Senior Researcher
ICT Services and System Development (ITS) 
Umeå University 
SE-901 87 Umeå, Sweden	
Phone +46 90 786 68 44
Mobile +46 70 696 68 44 

More information about the Openid-specs-ab mailing list