[Openid-specs-ab] iss typos

Manger, James James.H.Manger at team.telstra.com
Wed Mar 4 03:18:25 UTC 2015


OpenID Connect Core 1.0<http://openid.net/specs/openid-connect-core-1_0.html#SelfIssuedValidation> §7.5 "Self-Issued ID Token Validation" has a typo in point 1. It says the "iss" value MUST be
  https://self-isued.me
but it should actually be
  https://self-issued.me

It is an annoying typo as there are two "MUST"s referring to this precise spelling.


The spec also has 4 example "iss" values that are wrong because they are http, not https. §A.2, §A.3, §A.4, and §A.6 (examples using various response_type values) have
  "iss": "http://server.example.com"
which needs to be
  "iss": "https://server.example.com"


P.S. I was trying to pick some sizes for various tokens. RFC 6819 "OAuth 2.0 Security" has a generic suggestion of >= 128-bits. The OpenID Connect spec, however, has lots of examples of 60-bit (10 b64 chars) code, client_secret, access_token, and refresh_token values, and only slightly longer sample state and nonce values.

--
James Manger

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150304/b765e26d/attachment.html>


More information about the Openid-specs-ab mailing list