<div dir="ltr">Hi. <div><br></div><div>I suppose we should either drop or relax the following. They are not required in Basic. </div><div><br></div><div>rp-idt-kid-absent<br>rp-idt-kid</div><div></div>rp-alg-rs256<br>rp-alg-none<div><br></div><div>Also, I am wondering if the following is accurately reflecting the standard. </div><div><br></div><div><span style="font-size:110%;font-family:calibri,arial,sans,sans-serif;color:rgb(0,0,0)">"Uses https for all endpoints unless only using code flow" </span><br></div><div><span style="font-size:110%;font-family:calibri,arial,sans,sans-serif;color:rgb(0,0,0)">(It has no identifier assigned to it.)</span></div><div><span style="font-size:110%;font-family:calibri,arial,sans,sans-serif;color:rgb(0,0,0)"><br></span></div><div><span style="font-size:110%;font-family:calibri,arial,sans,sans-serif;color:rgb(0,0,0)">Section 3.1.2 states: </span></div><div><span style="font-size:110%;font-family:calibri,arial,sans,sans-serif;color:rgb(0,0,0)"><span style="font-family:verdana,charcoal,helvetica,arial,sans-serif;font-size:small">Communication with the Authorization Endpoint MUST utilize TLS. See </span><a class="" href="http://openid.net/specs/openid-connect-core-1_0.html#TLSRequirements" style="font-weight:bold;text-decoration:none;color:rgb(102,51,51);font-family:verdana,charcoal,helvetica,arial,sans-serif;font-size:small">Section 16.17</a><span style="font-family:verdana,charcoal,helvetica,arial,sans-serif;font-size:small"> for more information on using TLS.</span><br></span></div><div><span style="font-size:110%;font-family:calibri,arial,sans,sans-serif;color:rgb(0,0,0)"><br></span></div><div><span style="font-size:110%;font-family:calibri,arial,sans,sans-serif;color:rgb(0,0,0)">Section 3.1.3 states: </span></div><div><span style="font-size:110%;font-family:calibri,arial,sans,sans-serif;color:rgb(0,0,0)"><span style="font-family:verdana,charcoal,helvetica,arial,sans-serif;font-size:small">Communication with the Token Endpoint MUST utilize TLS. See </span><a class="" href="http://openid.net/specs/openid-connect-core-1_0.html#TLSRequirements" style="font-weight:bold;text-decoration:none;color:rgb(102,51,51);font-family:verdana,charcoal,helvetica,arial,sans-serif;font-size:small">Section 16.17</a><span style="font-family:verdana,charcoal,helvetica,arial,sans-serif;font-size:small"> for more information on using TLS.</span><br></span></div><div><span style="font-size:110%;font-family:calibri,arial,sans,sans-serif;color:rgb(0,0,0)"><br></span></div><div><span style="font-size:110%;font-family:calibri,arial,sans,sans-serif;color:rgb(0,0,0)">Section 5.3 states: </span></div><div><span style="font-size:110%;font-family:calibri,arial,sans,sans-serif;color:rgb(0,0,0)"><span style="font-family:verdana,charcoal,helvetica,arial,sans-serif;font-size:small">Communication with the UserInfo Endpoint MUST utilize TLS. See </span><a class="" href="http://openid.net/specs/openid-connect-core-1_0.html#TLSRequirements" style="font-weight:bold;text-decoration:none;color:rgb(102,51,51);font-family:verdana,charcoal,helvetica,arial,sans-serif;font-size:small">Section 16.17</a><span style="font-family:verdana,charcoal,helvetica,arial,sans-serif;font-size:small"> for more information on using TLS.</span><br></span></div><div><span style="font-size:110%;font-family:calibri,arial,sans,sans-serif;color:rgb(0,0,0)"><span style="font-family:verdana,charcoal,helvetica,arial,sans-serif;font-size:small"><br></span></span></div><div><span style="font-size:110%;font-family:calibri,arial,sans,sans-serif;color:rgb(0,0,0)"><span style="font-family:verdana,charcoal,helvetica,arial,sans-serif;font-size:small">Looks like we are mandating to use TLS regardless of the flow. </span></span></div><div><span style="font-size:110%;font-family:calibri,arial,sans,sans-serif;color:rgb(0,0,0)"><br></span></div><div><div><br></div><div>-- <br><div class="gmail_signature">Nat Sakimura (=nat)<div>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div></div>
</div></div></div>