[Openid-specs-heart] Review of OIDC security profile

Justin Richer jricher at MIT.EDU
Wed Dec 2 01:58:19 UTC 2015


Once again, thanks for the thorough review. I’ve incorporated pretty much everything below into the profiles.

 — Justin

> On Nov 28, 2015, at 2:26 PM, Sarah Squire <sarah at engageidentity.com> wrote:
> 
> Throughout
> Replace mitre.org <http://mitre.org/> with example.com <http://example.com/> in examples
> 
> 1.
> We should provide a reference for Draft Profiles for the use of OAuth 2.0
> 
> 2.
> We need to spell out and reference JWK, since this is the first mention of it.
> Making the iss and aud fields mandatory may present issues with the blinding capabilities of potential iGov implementations.
> 
> 3.
> “Servers MUST support the UserInfo Endpoint and, at a minimum, the openid scope and sub(subject) claims returned from there for all users.” That’s a super awkward sentence. Can we just remove “returned from there for all users” since that is redundant information?
> JOSE should reference the relevant RFC.
> 
> 4.
> Unusual wording. “Servers MUST accept request objects encrypted to the server’s public key.” I think most people would say “Servers MUST accept request objects encrypted with the server’s public key.”
> request_uri should be wearing spanx
> 
> 5.
> Should acr and amr be wearing spanx?
> Do we want to mention VoT here?
> “The specific values must be agreed upon and understood between the OpenID Provider and any Relying Parties. FICAM has not yet published standard values that would be suitable for this field, so interconnected partners will need to agree to common values for this claim.” That’s unclear, because the “must” isn’t normative, nor is “will need to”. Do we actually want to require these two parties to somehow *waves hands* know what language to speak? An example might be helpful here, and/or just focus this section on the provider and what the provider has to do and leave out the part about “agreed upon and understood” altogether.
> 
> 6.
> OAuth Token Introspection is now RFC 7662
> OAuth Token Revocation is now RFC 7009
> JWK should reference RFC 7517
> 
> References
> JWA is now RFC 7518
> JWE is now RFC 7516
> JWK is now RFC 7517
> JWS is now RFC 7515
> JWT is now RFC 7519
> OAuth.Registration is now RFC 7591
> Add references to RFC 7662 and RFC 7009 (introspection and revocation)
> 
> 
> Sarah Squire
> Engage Identity
> http://engageidentity.com <http://engageidentity.com/>_______________________________________________
> Openid-specs-heart mailing list
> Openid-specs-heart at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-heart

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20151201/effbcd78/attachment.html>


More information about the Openid-specs-heart mailing list