[Openid-specs-ab] Simplifying preferred_locales and max_age

Torsten Lodderstedt torsten at lodderstedt.net
Sat Feb 2 16:59:30 UTC 2013

Am 02.02.2013 um 17:05 schrieb John Bradley <ve7jtb at ve7jtb.com>:

> Well there is no difference.  From a security point of view you probably don't want to use none as the request object signing alg of none

That's certainly true from the security perspective. Unfortunately, request object is the only way so far to request specific claims. This is orthognal to the security requirements but request objects must be sent as JWS objects. For the use cases I have in mind, really signing the object adds unnecessary complexity. So we will most likely use "none" in most cases. This is weird and I would rather prefer to have a unsigned version of the request object,


More information about the Openid-specs-ab mailing list