
<div dir="ltr">+1, in as much as I do not want people to use <span style="color:rgb(0,0,0);font-size:1em">RS256 with other private meanings in JWS. </span><div><span style="color:rgb(0,0,0);font-size:1em"><br></span></div>

<div style><span style="color:rgb(0,0,0);font-size:1em">My preference. </span></div><div style><span style="color:rgb(0,0,0);font-size:1em"><br></span></div><div style><span style="color:rgb(0,0,0);font-size:1em">1) MUST</span></div>

<div style><span style="color:rgb(0,0,0);font-size:1em">2) SHOULD with MUST NOT use the values defined in RFC6711. </span></div><div style><span style="color:rgb(0,0,0);font-size:1em"><br></span></div><div style><span style="color:rgb(0,0,0);font-size:1em">As I stated before, 2) is rather difficult to </span><font color="#000000">implement. It requires the developers to pull RFC6711 registry every time it requests / responds a private acr value. IMHO, 1) is the way to go. </font></div>

</div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/6/3 John Bradley <span dir="ltr"><<a href="mailto:jbradley@pingidentity.com" target="_blank">jbradley@pingidentity.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div style="word-wrap:break-word">I prefer the value to be a URI unless a registered name is used.  That prevents collisions and configuration errors.    I don't think making a private name a URI is overly restrictive.<div>

<br></div><div>It needs to at least be a SHOULD perhaps with a warning about use of unregistered short names being dangerous outside of testing due to possible name collisions.</div><div><br></div><div>It doesn't take much to do the registration.   I prefer to keep it tight and not have lots of people using values like "3" all with separate definitions.</div>

<div><br></div><div><br><div>

<div style="font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word"><div style="font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">

<div style="font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word"><div style="font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">

<span style="border-collapse:separate;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;border-spacing:0px"><div style="word-wrap:break-word">

<span style="border-collapse:separate;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;border-spacing:0px"><div style="word-wrap:break-word">

<div><div style="font-family:Tahoma;font-size:12px;font-weight:normal;font-style:normal;color:rgb(52,54,52);margin:0px"><b>John Bradley</b>  |  Sr. Technical Architect</div><div style="font-family:Arial;font-size:11px;font-weight:normal;font-style:normal;color:rgb(71,135,255);margin:0px">

<span style="font-family:Tahoma;color:rgb(52,54,52)"><b>Ping</b></span><span style="color:rgb(41,41,41)"> </span><span style="font-family:Tahoma;color:rgb(231,35,57)"><b>Identity</b></span><span style="color:rgb(41,41,41)">  |   <a href="http://www.pingidentity.com/" target="_blank">www.pingidentity.com</a></span></div>

<div style="font-family:Arial;font-size:11px;font-weight:normal;font-style:normal;color:rgb(41,41,41);margin:0px;min-height:12px"><br></div><div style="font-family:Arial;font-size:11px;font-weight:normal;font-style:normal;color:rgb(41,41,41);margin:0px">

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</div><div style="margin:0px"><span style="font-family:Arial;font-size:11px;font-weight:normal;font-style:normal;color:rgb(0,85,104)"><b>O:</b></span><span style="font-family:Arial;font-size:11px;font-weight:normal;font-style:normal;color:rgb(41,41,41)"> <a href="tel:%2B1%20720.306.6055" target="_blank">+1 720.306.6055</a>   </span><span style="font-family:Arial;font-size:11px;font-weight:normal;font-style:normal;color:rgb(0,85,104)"><b>M:</b></span><span style="font-family:Arial;font-size:11px;font-weight:normal;font-style:normal;color:rgb(41,41,41)"> </span><font color="#4787ff" face="Arial"><span style="background-color:transparent;font-size:11px"><u>+1 (303) 396-9546</u></span></font></div>

<div style="font-family:Arial;font-size:11px;font-weight:normal;font-style:normal;color:rgb(71,135,255);margin:0px"><span style="color:rgb(0,85,104)"><b>Email:</b></span><span style="color:rgb(41,41,41)"> <a href="mailto:jbradley@pingidentity.com" target="_blank">jbradley@pingidentity.com</a></span></div>

</div><div style="font-style:normal;font-size:medium;font-family:Helvetica;font-weight:normal"><p><font face="verdana, sans-serif">- - - - - - - - - - - - - - - - - - - - - - - - - - -  - - - - - - - - - -</font></p><table border="0" cellspacing="0" cellpadding="0">

<tbody><tr><td nowrap valign="top" style="padding:0in"><p><b><font face="verdana, sans-serif">Join me at Cloud Identity Summit<br></font></b><span style="font-family:verdana,sans-serif"><a href="http://www.cloudidentitysummit.com/" target="_blank">www.cloudidentitysummit.com</a> <br>

</span><span style="font-family:verdana,sans-serif">Twitter: </span><a href="http://twitter.com/#!/@CloudIDSummit" style="font-family:verdana,sans-serif" target="_blank">@CloudIDSummit</a><br><span style="font-family:verdana,sans-serif"><a href="http://facebook.com/CloudIdentitySummit" target="_blank">Facebook.com/CloudIdentitySummit</a></span></p>

</td><td nowrap valign="top" style="padding:0in"><p><font face="verdana, sans-serif"><b>   Connect with me</b><br>   Twitter: </font><a href="https://twitter.com/ve7jtb" target="_blank"></a><a href="http://twitter.com/#!/@user_name" target="_blank">@</a>ve7jtb<font face="verdana, sans-serif"><br>

   </font><a href="http://linkedin.com/in/ve7jtb" style="white-space:normal" target="_blank">LinkedIn.com/in/v7jtb</a></p><div><br></div></td></tr></tbody></table></div><div style="font-style:normal;font-size:medium;font-family:Helvetica;font-weight:normal">

<br></div></div></span><br></div></span><br></div><br></div><br></div><br></div><br><br>

</div>

<br><div><div>On 2013-06-02, at 11:36 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>> wrote:</div><br><blockquote type="cite"><div lang="EN-US" link="blue" vlink="purple" style="font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">

<div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">A must wouldn’t be consistent with the rest of how we use claims.  Where two parties have a private agreement on the meanings of claims, we allow the use of private, unregistered names, per<a href="http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-08#section-4.3" style="color:purple;text-decoration:underline" target="_blank">http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-08#section-4.3</a>.  I don’t think we should absolutely mandate the use of registered names in this case, when we don’t anywhere else.<u></u><u></u></span></div>

<div class="im"><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

<span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Also, some trust frameworks may experiment with a name before deciding that it’s time to register it.  We shouldn’t make that illegal.<u></u><u></u></span></div>

<div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

<span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">A “SHOULD” is fine.<u></u><u></u></span></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

<span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">                                                            -- Mike<u></u><u></u></span></div>

<div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span></div><div><div style="border-style:solid none none;border-top-width:1pt;border-top-color:rgb(181,196,223);padding:3pt 0in 0in">

<div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><b><span style="font-size:10pt;font-family:Tahoma,sans-serif">From:</span></b><span style="font-size:10pt;font-family:Tahoma,sans-serif"><span> </span><a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a> [mailto:<a href="mailto:openid-" target="_blank">openid-</a><a href="mailto:specs-ab-bounces@lists.openid.net" target="_blank">specs-ab-bounces@lists.openid.net</a>]<span> </span><b>On Behalf Of<span> </span></b>Nat Sakimura<br>

<b>Sent:</b><span> </span>Sunday, June 02, 2013 2:31 PM<br><b>To:</b><span> </span>Bradley John; <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br><b>Subject:</b><span> </span>[Openid-specs-ab] acr text<u></u><u></u></span></div>

</div></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

Especially to John, <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

acr text says:<u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

 An absolute URI or a <a href="http://openid.bitbucket.org/openid-connect-messages-1_0.html#RFC6711" style="color:purple;text-decoration:underline" target="_blank"><b>registered name</b></a> [RFC6711] MAY be used as an <tt style="font-family:'Courier New'"><span style="font-size:10pt">acr</span></tt> value.<u></u><u></u></div>

</div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

Is it really MAY? Is it not MUST? <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><br>=nat <u></u><u></u></div></div></div></div>_______________________________________________<br>

Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" style="color:purple;text-decoration:underline" target="_blank">Openid-specs-ab@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" style="color:purple;text-decoration:underline" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></div>

</blockquote></div><br></div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Nat Sakimura (=nat)<div>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>

@_nat_en</div>

</div>