[Openid-specs-ab] Registration: Additional JWE parameters for OpenID request object?

John Bradley ve7jtb at ve7jtb.com
Tue Nov 6 12:41:19 UTC 2012

Thanks for closely looking at the spec.

The reason for registering the request object signing alg is to stop a downgrade attack.
Being able to sign the request is not useful for security if the IdP also takes unsigned requests.
(There is also non-repudiation for the request, but that is a edge case other than at LoA 3)

For encrypting the request object it is up to the client to decide if it wants to do it.   Having the IdP require it is not really adding anything.

We can look at the id_token and userinfo.  

Did you create a ticket for this?


On 2012-11-06, at 1:09 AM, "Vladimir Dzhuvinov / NimbusDS" <vladimir at nimbusds.com> wrote:

> Thank you guys for going through the reg issues I posted yesterday.
> The spec says that the OpenID request object can also be signed. Should
> we then also have optional reg parameters for specifying JWE alg and
> enc?
> I.e. 
> signed_request_object_alg
> encrypted_request_object_alg
> encrypted_request_object_enc
> following the same pattern for the ID Token and UserInfo JWS/JWE
> parameters:
> id_token_signed_response_alg
> id_token_encrypted_response_alg
> id_token_encrypted_response_enc
> userinfo_signed_response_alg
> userinfo_encrypted_response_alg
> userinfo_encrypted_response_enc
> (I suppose the *_int is going to go away to match the latest JOSE
> changes).
> Thanks,
> Vladimir
> --
> Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list