[Openid-specs-mobile-profile] New Version of Account Migration Draft
Torsten.Lodderstedt at telekom.de
Torsten.Lodderstedt at telekom.de
Tue Aug 2 07:18:31 UTC 2016
Von: Nennker, Axel
Gesendet: Freitag, 29. Juli 2016 18:04
An: Lodderstedt, Torsten; openid-specs-mobile-profile at lists.openid.net
Betreff: RE: New Version of Account Migration Draft
I would change "The RP first validates the digital signature of the migration data JWT. It therefore looks up the old OP's openid configuration as defined in [OpenID.Discovery]<http://xml2rfc.ietf.org/cgi-bin/xml2rfc.cgi#OpenID.Discovery> using the "iss" sub claim of the claim "from" and uses it to obtains the location of the old OP's JSON Web Key Set [RFC7517]<http://xml2rfc.ietf.org/cgi-bin/xml2rfc.cgi#RFC7517>) (containing the respective public keys of the OP)."
"The RP MUST first validate the digital signature of the migration data JWT. It therefore looks up the old OP's openid configuration as defined in [OpenID.Discovery]<http://xml2rfc.ietf.org/cgi-bin/xml2rfc.cgi#OpenID.Discovery> using the "iss" sub claim of the claim "from" and uses it to obtains the location of the old OP's JSON Web Key Set [RFC7517]<http://xml2rfc.ietf.org/cgi-bin/xml2rfc.cgi#RFC7517>) (containing the respective public keys of the OP)."
Furthermore I would like to suggest to remove the jwks example because how the signature validation is done is not really important to Account Migration.
The text I would remove is below.
TL: I thought this text would be helpful for readers. What do other WG members think?
For example, given the issuer URL https://op.mno1.com, the new OP would obtain the following OpenID configuration of the old OP from https://op.mno1.com/.well-known/openid-configuration (line breaks are for display purposes only):
HTTP/1.1 200 OK
It then loads the public keys material, which could for example look like this (line breaks for are for display purposes only):
Note: the appropriate key required for a particular migration data JWT is identified by the key identifier (kid).
From: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] On Behalf Of Lodderstedt, Torsten
Sent: Tuesday, July 19, 2016 1:30 PM
To: openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>
Subject: [Openid-specs-mobile-profile] New Version of Account Migration Draft
I just published -01 of the account migration draft at openid.net (http://openid.net/wordpress-content/uploads/2014/04/draft-account-migration-01.html). The source code can be found in our Bitbucket repo.
This is a significant rewrite of the specification based on your valuable feedback. Thank you! Although I tried to incorporate all review comments, please bear with me if I missed a comment. Please let me know, so I can incorporate it in the next revision.
I applied the following changes to the document:
* reorganized the draft
* extended introduction and overview
* stated scope of the draft and what is currently out of scope
* changed terminology from porting to migration
* changed migration data structure to be different from an id token
* cleaned up references
* added initial security considerations
Please post your feedback to the list.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-mobile-profile