[Openid-specs-heart] Review of OIDC security profile
Sarah Squire
sarah at engageidentity.com
Sat Nov 28 19:26:04 UTC 2015
Throughout
Replace mitre.org with example.com in examples
1.
We should provide a reference for Draft Profiles for the use of OAuth 2.0
2.
We need to spell out and reference JWK, since this is the first mention of
it.
Making the iss and aud fields mandatory may present issues with the
blinding capabilities of potential iGov implementations.
3.
“Servers MUST support the UserInfo Endpoint and, at a minimum, the openid
scope and sub(subject) claims returned from there for all users.” That’s a
super awkward sentence. Can we just remove “returned from there for all
users” since that is redundant information?
JOSE should reference the relevant RFC.
4.
Unusual wording. “Servers MUST accept request objects encrypted to the
server’s public key.” I think most people would say “Servers MUST accept
request objects encrypted with the server’s public key.”
request_uri should be wearing spanx
5.
Should acr and amr be wearing spanx?
Do we want to mention VoT here?
“The specific values must be agreed upon and understood between the OpenID
Provider and any Relying Parties. FICAM has not yet published standard
values that would be suitable for this field, so interconnected partners
will need to agree to common values for this claim.” That’s unclear,
because the “must” isn’t normative, nor is “will need to”. Do we actually
want to require these two parties to somehow *waves hands* know what
language to speak? An example might be helpful here, and/or just focus this
section on the provider and what the provider has to do and leave out the
part about “agreed upon and understood” altogether.
6.
OAuth Token Introspection is now RFC 7662
OAuth Token Revocation is now RFC 7009
JWK should reference RFC 7517
References
JWA is now RFC 7518
JWE is now RFC 7516
JWK is now RFC 7517
JWS is now RFC 7515
JWT is now RFC 7519
OAuth.Registration is now RFC 7591
Add references to RFC 7662 and RFC 7009 (introspection and revocation)
Sarah Squire
Engage Identity
http://engageidentity.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20151128/a1298ff5/attachment.html>
More information about the Openid-specs-heart
mailing list