[Openid-specs-ab] Connect Standard annotated word version

Mike Jones Michael.Jones at microsoft.com
Mon Jun 3 15:34:20 UTC 2013


Thanks for doing this, Nat.  I've attached a version that adds some comments and revisions to your version.

As for the application/jwt MIME type, we should not change this for several reasons.  First, JWT defines the nested signing/encryption logic - it's not present in JWS or JWE.  Secondly, this really is a JWT.  Third, the JOSE working group may change or delete application/jws, whereas application/jwt is more stable.

As for changing the prompt:consent MUST to a SHOULD, I don't understand the "obvious from other actions" comment, nor circumstances in which we would not require new consent, if asked for by the RP.  As for the "pavlov" attack, if the RP keeps asking the user for consent, the mitigation is for the user to stop using the RP, not to weaken the protocol.  I don't think we should make this change.

                                                            -- Mike

From: Nat Sakimura [mailto:sakimura at gmail.com]
Sent: Monday, June 03, 2013 2:31 AM
To: openid-specs-ab at lists.openid.net; Mike Jones; John Bradley
Subject: Connect Standard annotated word version

I prepared a word version with modifications and comments.
Many of them are editorial. It is probably easier to go through than to do it in multiple tickets.

1 normative change proposed about the processing of prompt parameter. It was using MUST, but I think it should be SHOULD. It is possible that trying to obtain active consent may be illegal when it is obvious from other actions. MUST is a bit too much. It is also prone to "Pavlov" attack.

Also, one question about whether the MIME Type of the signed UserInfo response should be. It currently is application/jwt but it may be more appropriate to have it as application/jws.

--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130603/e55a2223/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openid-connect-standard-1_0 Nat suggestions+Mike 3-Jun-13.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 100375 bytes
Desc: openid-connect-standard-1_0 Nat suggestions+Mike 3-Jun-13.docx
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130603/e55a2223/attachment-0001.docx>


More information about the Openid-specs-ab mailing list