[Openid-specs-ab] ServerMTI in Messages

John Bradley ve7jtb at ve7jtb.com
Wed Jan 30 12:37:57 UTC 2013

The problem with the user info endpoint is that it can't be supported by self issued providers so always making it MTI won't work.

Just because a provider doesn't support discovery and registration, I wouldn't expect them  to not have a user info endpoint.

The default signing for request objects should be RS256.  I would prefer not to make RS256 MTI as it may be legitimate for a server to support only ECDH for security reasons.

I would be OK with saying the server needs to support one of RS256, RS512, ES512.  So if they don't want to support the default they have to support one of the more secure ones.

The problem is what happens when someone only wants to support ECDSA with SHA3?   That is the problem with MTI.

John B.

On 2013-01-30, at 8:25 AM, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:

> Hi all,
> just re-read the MTI section of messages (8.1. specifically), which caused two questions:
> 1) Assuming the scope values "profile", "email", "address" and "phone" are required for all server implementations, how is a non-dynamic OpenID provider supposed to expose this data? I'm asking since the UserInfo endpoint is MTI for dynamic OpenID providers, only.
> 2) Which are the default signing algorithms for request objects? Discovery says "Servers SHOULD support none and RS256".
> regards,
> Torsten.
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list