[Openid-specs-heart] Review of OIDC security profile

Sarah Squire sarah at engageidentity.com
Sat Nov 28 19:26:04 UTC 2015 

Throughout

Replace mitre.org with example.com in examples

1.

We should provide a reference for Draft Profiles for the use of OAuth 2.0

2.

We need to spell out and reference JWK, since this is the first mention of
it.

Making the iss and aud fields mandatory may present issues with the
blinding capabilities of potential iGov implementations.

3.

“Servers MUST support the UserInfo Endpoint and, at a minimum, the openid
scope and sub(subject) claims returned from there for all users.” That’s a
super awkward sentence. Can we just remove “returned from there for all
users” since that is redundant information?

JOSE should reference the relevant RFC.

4.

Unusual wording. “Servers MUST accept request objects encrypted to the
server’s public key.” I think most people would say “Servers MUST accept
request objects encrypted with the server’s public key.”

request_uri should be wearing spanx

5.

Should acr and amr be wearing spanx?

Do we want to mention VoT here?

“The specific values must be agreed upon and understood between the OpenID
Provider and any Relying Parties. FICAM has not yet published standard
values that would be suitable for this field, so interconnected partners
will need to agree to common values for this claim.” That’s unclear,
because the “must” isn’t normative, nor is “will need to”. Do we actually
want to require these two parties to somehow *waves hands* know what
language to speak? An example might be helpful here, and/or just focus this
section on the provider and what the provider has to do and leave out the
part about “agreed upon and understood” altogether.

6.

OAuth Token Introspection is now RFC 7662

OAuth Token Revocation is now RFC 7009

JWK should reference RFC 7517

References

JWA is now RFC 7518

JWE is now RFC 7516

JWK is now RFC 7517

JWS is now RFC 7515

JWT is now RFC 7519

OAuth.Registration is now RFC 7591

Add references to RFC 7662 and RFC 7009 (introspection and revocation)


Sarah Squire
Engage Identity
http://engageidentity.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20151128/a1298ff5/attachment.html>

More information about the Openid-specs-heart mailing list