[Openid-specs-mobile-profile] New Version of Account Migration Draft
Axel.Nennker at telekom.de
Axel.Nennker at telekom.de
Tue Aug 2 08:47:35 UTC 2016
Regarding the example jwks:
Helpfulness depends on what the reader already knows. The knowledgeable reader might even wonder why the example is here while it provides no or little new information.
The examples in e.g. https://tools.ietf.org/html/rfc7517#appendix-A show already how a JWKs looks like and that kid is used to distinguish the keys is not helpful enough in my opinion.
I think that data structures defined in this draft should have examples.
From: Lodderstedt, Torsten
Sent: Tuesday, August 02, 2016 9:19 AM
To: Nennker, Axel; openid-specs-mobile-profile at lists.openid.net
Subject: AW: New Version of Account Migration Draft
Von: Nennker, Axel
Gesendet: Freitag, 29. Juli 2016 18:04
An: Lodderstedt, Torsten; openid-specs-mobile-profile at lists.openid.net
Betreff: RE: New Version of Account Migration Draft
I would change "The RP first validates the digital signature of the migration data JWT. It therefore looks up the old OP's openid configuration as defined in [OpenID.Discovery]<http://xml2rfc.ietf.org/cgi-bin/xml2rfc.cgi#OpenID.Discovery> using the "iss" sub claim of the claim "from" and uses it to obtains the location of the old OP's JSON Web Key Set [RFC7517]<http://xml2rfc.ietf.org/cgi-bin/xml2rfc.cgi#RFC7517>) (containing the respective public keys of the OP)."
"The RP MUST first validate the digital signature of the migration data JWT. It therefore looks up the old OP's openid configuration as defined in [OpenID.Discovery]<http://xml2rfc.ietf.org/cgi-bin/xml2rfc.cgi#OpenID.Discovery> using the "iss" sub claim of the claim "from" and uses it to obtains the location of the old OP's JSON Web Key Set [RFC7517]<http://xml2rfc.ietf.org/cgi-bin/xml2rfc.cgi#RFC7517>) (containing the respective public keys of the OP)."
Furthermore I would like to suggest to remove the jwks example because how the signature validation is done is not really important to Account Migration.
The text I would remove is below.
TL: I thought this text would be helpful for readers. What do other WG members think?
For example, given the issuer URL https://op.mno1.com, the new OP would obtain the following OpenID configuration of the old OP from https://op.mno1.com/.well-known/openid-configuration (line breaks are for display purposes only):
HTTP/1.1 200 OK
It then loads the public keys material, which could for example look like this (line breaks for are for display purposes only):
Note: the appropriate key required for a particular migration data JWT is identified by the key identifier (kid).
From: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] On Behalf Of Lodderstedt, Torsten
Sent: Tuesday, July 19, 2016 1:30 PM
To: openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>
Subject: [Openid-specs-mobile-profile] New Version of Account Migration Draft
I just published -01 of the account migration draft at openid.net (http://openid.net/wordpress-content/uploads/2014/04/draft-account-migration-01.html). The source code can be found in our Bitbucket repo.
This is a significant rewrite of the specification based on your valuable feedback. Thank you! Although I tried to incorporate all review comments, please bear with me if I missed a comment. Please let me know, so I can incorporate it in the next revision.
I applied the following changes to the document:
* reorganized the draft
* extended introduction and overview
* stated scope of the draft and what is currently out of scope
* changed terminology from porting to migration
* changed migration data structure to be different from an id token
* cleaned up references
* added initial security considerations
Please post your feedback to the list.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-mobile-profile