[security] OIC self-issued mode is insecure
Manger, James
James.H.Manger at team.telstra.com
Tue Mar 4 03:49:56 UTC 2014
> OPs would still send "sub", since the pair ("iss", "sub") is the
> universal account identifier for OpenID Connect. It would just be
> computed in the specified manner.
I don't think that follows, Mike.
OP sends sub_jwk; RP calculates sub; now RP has {iss,sub} to use as universal account id; regardless of whether sub was also transmitted. Better to save some bytes; and eliminate an error condition (sub & sub_jwk mismatching).
--
James Manger
More information about the security
mailing list