[Openid-specs-ab] Registration: Additional JWE parameters for OpenID request object?

Vladimir Dzhuvinov / NimbusDS vladimir at nimbusds.com
Thu Nov 22 05:12:56 UTC 2012 

Thanks Mike, the discovery parameters do indeed provide for that.

Should we define a default true/false value for
request_object_signing_alg?

Vladimir

--
Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com




-------- Original Message --------
Subject: RE: [Openid-specs-ab] Registration: Additional JWE parameters
for OpenID request object?
From: Mike Jones <Michael.Jones at microsoft.com>
Date: Wed, November 21, 2012 10:19 pm
To: Vladimir Dzhuvinov / NimbusDS <vladimir at nimbusds.com>,
"openid-specs-ab at lists.openid.net" <openid-specs-ab at lists.openid.net>


We do have these parameters already for saying what the server will
accept:
 request_object_signing_alg_values_supported
 request_object_encryption_alg_values_supported
 request_object_encryption_enc_values_supported

We also have this parameter for requiring that the server only accept
signed request objects:
 request_object_signing_alg


Given that the RP can know what kinds of encrypted requests the server
can accept, and it can tell the server to only accept signed requests,
it seems OK to leave it up to the RP whether to send encrypted requests
or not. I understand the symmetry argument for these parameters, but I'm
not sure they're actually useful enough to be worth adding.

Or does anyone really believe that we need to have the OP reject
requests that are not encrypted?

 -- Mike

-----Original Message-----
From: openid-specs-ab-bounces at lists.openid.net
[mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Vladimir
Dzhuvinov / NimbusDS
Sent: Monday, November 05, 2012 10:09 PM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] Registration: Additional JWE parameters for
OpenID request object?

Thank you guys for going through the reg issues I posted yesterday.

The spec says that the OpenID request object can also be signed. Should
we then also have optional reg parameters for specifying JWE alg and
enc?

I.e. 

signed_request_object_alg
encrypted_request_object_alg
encrypted_request_object_enc

following the same pattern for the ID Token and UserInfo JWS/JWE
parameters:

id_token_signed_response_alg
id_token_encrypted_response_alg
id_token_encrypted_response_enc

userinfo_signed_response_alg
userinfo_encrypted_response_alg
userinfo_encrypted_response_enc


(I suppose the *_int is going to go away to match the latest JOSE
changes).


Thanks,

Vladimir

--
Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list