[Openid-specs-ab] iss typos

Manger, James James.H.Manger at team.telstra.com
Wed Mar 4 03:18:25 UTC 2015

OpenID Connect Core 1.0<http://openid.net/specs/openid-connect-core-1_0.html#SelfIssuedValidation> §7.5 "Self-Issued ID Token Validation" has a typo in point 1. It says the "iss" value MUST be
but it should actually be

It is an annoying typo as there are two "MUST"s referring to this precise spelling.

The spec also has 4 example "iss" values that are wrong because they are http, not https. §A.2, §A.3, §A.4, and §A.6 (examples using various response_type values) have
  "iss": "http://server.example.com"
which needs to be
  "iss": "https://server.example.com"

P.S. I was trying to pick some sizes for various tokens. RFC 6819 "OAuth 2.0 Security" has a generic suggestion of >= 128-bits. The OpenID Connect spec, however, has lots of examples of 60-bit (10 b64 chars) code, client_secret, access_token, and refresh_token values, and only slightly longer sample state and nonce values.

James Manger

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150304/b765e26d/attachment.html>

More information about the Openid-specs-ab mailing list