[Openid-specs-ab] Simplifying preferred_locales and max_age

Nat Sakimura sakimura at gmail.com
Sun Feb 3 10:18:46 UTC 2013


So, here is a question to Torsten.

Does your use case require the request to be created really dynamically?
Or having several pre-registered request parameters and being able to chose
it at run-time would do?

Nat

2013/2/3 John Bradley <ve7jtb at ve7jtb.com>

> A JWS with an alg of none is a base64url encoded JSON object.   I don't
> know that it can get much simpler.  A JWS with an alt of none is unsigned.
>
> One can also argue that a HMAC of a bas64url encoded string is not the
> worlds hardest integrity if you want to use it.
>
> Some people want to ditch the request object because they don't want
> fine-grained claims.  Others want fine grand claims with parameters to meet
> privacy laws.
>
> Some will want both because in a lot of cases you don't want the user
> changing what claims are requested.
>
> So we have two reasons for having a request object one needs signing and
> the other should probably be signed but can be unsigned in many cases.
>
> The question is what to make MTI?
>
> John B.
>
> On 2013-02-02, at 1:59 PM, Torsten Lodderstedt <torsten at lodderstedt.net>
> wrote:
>
> >
> >
> > Am 02.02.2013 um 17:05 schrieb John Bradley <ve7jtb at ve7jtb.com>:
> >
> >> Well there is no difference.  From a security point of view you
> probably don't want to use none as the request object signing alg of none
> >
> > That's certainly true from the security perspective. Unfortunately,
> request object is the only way so far to request specific claims. This is
> orthognal to the security requirements but request objects must be sent as
> JWS objects. For the use cases I have in mind, really signing the object
> adds unnecessary complexity. So we will most likely use "none" in most
> cases. This is weird and I would rather prefer to have a unsigned version
> of the request object,
> >
> > regards,
> > Torsten.
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>



-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130203/2cee4504/attachment.html>


More information about the Openid-specs-ab mailing list