[Openid-specs-ab] Simplifying preferred_locales and max_age

Torsten Lodderstedt torsten at lodderstedt.net
Sun Feb 3 10:32:04 UTC 2013


Hi Nat,

dynamically created requests would be perfect. Pre-registered requests would do but would also increase the likelihood of misconfigurations. We configure most of our clients oob. I would assume a new request "type" would be introduced with a new revision of the respective application. It has to be insured that the required requests are properly configured upfront. Any mistake will cause errors during execution.

regards,
Torsten.

Am 03.02.2013 um 11:18 schrieb Nat Sakimura <sakimura at gmail.com>:

> So, here is a question to Torsten. 
> 
> Does your use case require the request to be created really dynamically? 
> Or having several pre-registered request parameters and being able to chose it at run-time would do? 
> 
> Nat
> 
> 2013/2/3 John Bradley <ve7jtb at ve7jtb.com>
>> A JWS with an alg of none is a base64url encoded JSON object.   I don't know that it can get much simpler.  A JWS with an alt of none is unsigned.
>> 
>> One can also argue that a HMAC of a bas64url encoded string is not the worlds hardest integrity if you want to use it.
>> 
>> Some people want to ditch the request object because they don't want fine-grained claims.  Others want fine grand claims with parameters to meet privacy laws.
>> 
>> Some will want both because in a lot of cases you don't want the user changing what claims are requested.
>> 
>> So we have two reasons for having a request object one needs signing and the other should probably be signed but can be unsigned in many cases.
>> 
>> The question is what to make MTI?
>> 
>> John B.
>> 
>> On 2013-02-02, at 1:59 PM, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
>> 
>> >
>> >
>> > Am 02.02.2013 um 17:05 schrieb John Bradley <ve7jtb at ve7jtb.com>:
>> >
>> >> Well there is no difference.  From a security point of view you probably don't want to use none as the request object signing alg of none
>> >
>> > That's certainly true from the security perspective. Unfortunately, request object is the only way so far to request specific claims. This is orthognal to the security requirements but request objects must be sent as JWS objects. For the use cases I have in mind, really signing the object adds unnecessary complexity. So we will most likely use "none" in most cases. This is weird and I would rather prefer to have a unsigned version of the request object,
>> >
>> > regards,
>> > Torsten.
>> 
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> 
> 
> 
> -- 
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130203/530f44b3/attachment-0001.html>


More information about the Openid-specs-ab mailing list