<div dir="ltr"><div>I agree.</div><div>AUD should not be in a s/w statement at all.</div><div><br></div><div>I also think that you should ban question like this that are not issues.</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Peace ..tom</div></div></div></div>
<br><div class="gmail_quote">On Fri, Sep 22, 2017 at 3:53 PM, Pamela Dingle via Openid-specs-fapi <span dir="ltr"><<a href="mailto:openid-specs-fapi@lists.openid.net" target="_blank">openid-specs-fapi@lists.openid.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi FAPI'ers, <div><br></div><div>Can anyone here comment on whether they use or make technology that CANNOT override the standard RFC7519 JWT audience validation requirements?</div><div><br></div><div>I know that the jose4j library allows the ability to override the rules set out in <a href="https://tools.ietf.org/html/rfc7519#section-4.1.3" target="_blank">https://tools.ietf.org/<wbr>html/rfc7519#section-4.1.3</a> but I don't know if that is a common feature of other libraries.  As I read those rules, any entity that receives a JWT with an aud claim populated but which does not have the entity itself listed as a recipient should reject that JWT.</div><div><br></div><div>In this case we are talking about validating software statements in a dynamic client requests -- if the software statement is generated with an audience set to be the client requesting the software statement, technically every AS the client tries to post that statement to should reject the statement, since the aud claim does not reference them directly.  Any opinions on whether at the end of the day this is a serious compliance issue (or not), and/or a real problem for implementers (or not) would be welcome.</div><div><br></div><div>Cheers,</div><div><br></div><div>Pamela</div><span class="HOEnZb"><font color="#888888"><div><br></div><div>-- <br><div class="m_-3881481806310258004gmail_signature"><div style="padding:0px;margin:0px">    <table style="border-collapse:collapse;padding:0px;margin:0px">                 <tbody><tr>                         <td style="width:113px">                                        <a href="https://www.pingidentity.com" target="_blank"></a><a href="https://www.pingidentity.com" target="_blank"><img alt="Ping Identity" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/ping-logo.png"></a>                                </td>                             <td>                                      <table>                                                                                           <tbody><tr>                         <td style="vertical-align:top">                                 <span style="color:rgb(230,29,60);display:inline-block;margin-bottom:3px;font-family:arial,helvetica,sans-serif;font-weight:bold;font-size:14px">Pam Dingle</span>                                                                <br>                                                              <span style="color:rgb(0,0,0);display:inline-block;margin-bottom:2px;font-family:arial,helvetica,sans-serif;font-weight:normal;font-size:14px">Principal Technical Architect</span>                                                               <br>                                                              <span style="font-family:arial,helvetica,sans-serif;font-size:14px;display:inline-block;margin-bottom:3px"><a href="mailto:pdingle@pingidentity.com" target="_blank">pdingle@pingidentity.com</a></span>                                                          <br>                                                              <span style="color:rgb(0,0,0);display:inline-block;margin-bottom:2px;font-family:arial,helvetica,sans-serif;font-weight:normal;font-size:14px">                                                         w: <a href="tel:(303)%20999-5890" target="_blank" value="+13039995890">+1 303.999.5890</a></span>                                                               <br>                                                              <span style="color:rgb(0,0,0);display:inline-block;margin-bottom:2px;font-family:arial,helvetica,sans-serif;font-weight:normal;font-size:14px">                                                         c: <a href="tel:(303)%20999-5890" target="_blank" value="+13039995890">+1 303.999.5890</a></span>                                                       </td>                           </tr>                                       </tbody></table>                            </td>                     </tr>                     <tr>                                      <td colspan="2">          <table style="border-collapse:collapse;border:none;margin:8px 0px 0px;width:100%">            <tbody><tr style="height:40px;border-top:1px solid rgb(211,211,211);border-bottom:1px solid rgb(211,211,211)">              <td style="font-family:arial,helvetica,sans-serif;font-size:14px;font-weight:bold;color:rgb(64,71,75)">Connect with us: </td>              <td style="padding:4px 0px 0px 20px">                <a title="Ping on Glassdoor" style="text-decoration:none;margin-right:16px" href="https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm" target="_blank"><img style="border:none;margin:0px" alt="Glassdoor logo" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-glassdoor.png"></a>                                                                                <a title="Ping on LinkedIn" style="text-decoration:none;margin-right:16px" href="https://www.linkedin.com/company/21870" target="_blank"><img style="border:none;margin:0px" alt="LinkedIn logo" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-linkedin.png"></a>                                        <a title="Ping on Twitter" style="text-decoration:none;margin-right:16px" href="https://twitter.com/pingidentity" target="_blank"><img style="border:none;margin:0px" alt="twitter logo" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-twitter.png"></a>                                                                             <a title="Ping on Facebook" style="text-decoration:none;margin-right:16px" href="https://www.facebook.com/pingidentitypage" target="_blank"><img style="border:none;margin:0px" alt="facebook logo" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-facebook.png"></a>                                                           <a title="Ping on Youtube" style="text-decoration:none;margin-right:16px" href="https://www.youtube.com/user/PingIdentityTV" target="_blank"><img style="border:none;margin:0px 0px 3px" alt="youtube logo" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-youtube.png"></a>                                                                                                            <a title="Ping on Google+" style="text-decoration:none;margin-right:16px" href="https://plus.google.com/u/0/114266977739397708540" target="_blank"><img style="border:none;margin:0px" alt="Google+ logo" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-googleplus.png"></a>                                                        <a title="Ping Blog" style="text-decoration:none;margin-right:16px" href="https://www.pingidentity.com/en/blog.html" target="_blank"><img style="border:none;margin:0px" alt="Blog logo" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-blog.png"></a>                                                                                                                     </td>            </tr>          </tbody></table>                                </td>      </tr>    </tbody></table><a href="https://www.pingidentity.com/en/lp/identify-2017.html" target="_blank"><img src="https://www.pingidentity.com/content/dam/ping-6-2-assets/images/misc/emailSignature/identify2017-emailsignature_revised_NB.png"></a>  </div></div>
</div></font></span></div><span class="HOEnZb"><font color="#888888">

<br>
<i style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:rgb(255,255,255);font-family:proxima-nova-zendesk,system-ui,-apple-system,system-ui,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;color:rgb(85,85,85)"><span style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"><font size="2">CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i></font></span><br>______________________________<wbr>_________________<br>
Openid-specs-fapi mailing list<br>
<a href="mailto:Openid-specs-fapi@lists.openid.net">Openid-specs-fapi@lists.<wbr>openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" target="_blank" rel="noreferrer">http://lists.openid.net/<wbr>mailman/listinfo/openid-specs-<wbr>fapi</a><br>
<br></blockquote></div><br></div>