[Openid-specs-ab] Simplifying preferred_locales and max_age

John Bradley ve7jtb at ve7jtb.com
Sat Feb 2 17:51:18 UTC 2013


A JWS with an alg of none is a base64url encoded JSON object.   I don't know that it can get much simpler.  A JWS with an alt of none is unsigned.

One can also argue that a HMAC of a bas64url encoded string is not the worlds hardest integrity if you want to use it.

Some people want to ditch the request object because they don't want fine-grained claims.  Others want fine grand claims with parameters to meet privacy laws.

Some will want both because in a lot of cases you don't want the user changing what claims are requested. 

So we have two reasons for having a request object one needs signing and the other should probably be signed but can be unsigned in many cases.

The question is what to make MTI?

John B.

On 2013-02-02, at 1:59 PM, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:

> 
> 
> Am 02.02.2013 um 17:05 schrieb John Bradley <ve7jtb at ve7jtb.com>:
> 
>> Well there is no difference.  From a security point of view you probably don't want to use none as the request object signing alg of none
> 
> That's certainly true from the security perspective. Unfortunately, request object is the only way so far to request specific claims. This is orthognal to the security requirements but request objects must be sent as JWS objects. For the use cases I have in mind, really signing the object adds unnecessary complexity. So we will most likely use "none" in most cases. This is weird and I would rather prefer to have a unsigned version of the request object,
> 
> regards,
> Torsten.



More information about the Openid-specs-ab mailing list