[Openid-specs-ab] Registration: Additional JWE parameters for OpenID request object?

Mike Jones Michael.Jones at microsoft.com
Fri Nov 30 05:57:52 UTC 2012 

It's not a Boolean - it's an algorithm identifier value.

				-- Mike

-----Original Message-----
From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Vladimir Dzhuvinov / NimbusDS
Sent: Wednesday, November 21, 2012 9:13 PM
To: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Registration: Additional JWE parameters for OpenID request object?

Thanks Mike, the discovery parameters do indeed provide for that.

Should we define a default true/false value for request_object_signing_alg?

Vladimir

--
Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com




-------- Original Message --------
Subject: RE: [Openid-specs-ab] Registration: Additional JWE parameters for OpenID request object?
From: Mike Jones <Michael.Jones at microsoft.com>
Date: Wed, November 21, 2012 10:19 pm
To: Vladimir Dzhuvinov / NimbusDS <vladimir at nimbusds.com>, "openid-specs-ab at lists.openid.net" <openid-specs-ab at lists.openid.net>


We do have these parameters already for saying what the server will
accept:
 request_object_signing_alg_values_supported
 request_object_encryption_alg_values_supported
 request_object_encryption_enc_values_supported

We also have this parameter for requiring that the server only accept signed request objects:
 request_object_signing_alg


Given that the RP can know what kinds of encrypted requests the server can accept, and it can tell the server to only accept signed requests, it seems OK to leave it up to the RP whether to send encrypted requests or not. I understand the symmetry argument for these parameters, but I'm not sure they're actually useful enough to be worth adding.

Or does anyone really believe that we need to have the OP reject requests that are not encrypted?

 -- Mike

-----Original Message-----
From: openid-specs-ab-bounces at lists.openid.net
[mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Vladimir Dzhuvinov / NimbusDS
Sent: Monday, November 05, 2012 10:09 PM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] Registration: Additional JWE parameters for OpenID request object?

Thank you guys for going through the reg issues I posted yesterday.

The spec says that the OpenID request object can also be signed. Should we then also have optional reg parameters for specifying JWE alg and enc?

I.e. 

signed_request_object_alg
encrypted_request_object_alg
encrypted_request_object_enc

following the same pattern for the ID Token and UserInfo JWS/JWE
parameters:

id_token_signed_response_alg
id_token_encrypted_response_alg
id_token_encrypted_response_enc

userinfo_signed_response_alg
userinfo_encrypted_response_alg
userinfo_encrypted_response_enc


(I suppose the *_int is going to go away to match the latest JOSE changes).


Thanks,

Vladimir

--
Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com _______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list