[Openid-specs-ab] Registration: Additional JWE parameters for OpenID request object?

John Bradley ve7jtb at ve7jtb.com
Fri Nov 30 13:22:00 UTC 2012 

Yes if you don't specify the parameter signing is not required by the server.  If you do specify it the ale specified is the one that must be used.

On 2012-11-30, at 2:57 AM, Mike Jones <Michael.Jones at microsoft.com> wrote:

> It's not a Boolean - it's an algorithm identifier value.
> 
> 				-- Mike
> 
> -----Original Message-----
> From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Vladimir Dzhuvinov / NimbusDS
> Sent: Wednesday, November 21, 2012 9:13 PM
> To: openid-specs-ab at lists.openid.net
> Subject: Re: [Openid-specs-ab] Registration: Additional JWE parameters for OpenID request object?
> 
> Thanks Mike, the discovery parameters do indeed provide for that.
> 
> Should we define a default true/false value for request_object_signing_alg?
> 
> Vladimir
> 
> --
> Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com
> 
> 
> 
> 
> -------- Original Message --------
> Subject: RE: [Openid-specs-ab] Registration: Additional JWE parameters for OpenID request object?
> From: Mike Jones <Michael.Jones at microsoft.com>
> Date: Wed, November 21, 2012 10:19 pm
> To: Vladimir Dzhuvinov / NimbusDS <vladimir at nimbusds.com>, "openid-specs-ab at lists.openid.net" <openid-specs-ab at lists.openid.net>
> 
> 
> We do have these parameters already for saying what the server will
> accept:
> request_object_signing_alg_values_supported
> request_object_encryption_alg_values_supported
> request_object_encryption_enc_values_supported
> 
> We also have this parameter for requiring that the server only accept signed request objects:
> request_object_signing_alg
> 
> 
> Given that the RP can know what kinds of encrypted requests the server can accept, and it can tell the server to only accept signed requests, it seems OK to leave it up to the RP whether to send encrypted requests or not. I understand the symmetry argument for these parameters, but I'm not sure they're actually useful enough to be worth adding.
> 
> Or does anyone really believe that we need to have the OP reject requests that are not encrypted?
> 
> -- Mike
> 
> -----Original Message-----
> From: openid-specs-ab-bounces at lists.openid.net
> [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Vladimir Dzhuvinov / NimbusDS
> Sent: Monday, November 05, 2012 10:09 PM
> To: openid-specs-ab at lists.openid.net
> Subject: [Openid-specs-ab] Registration: Additional JWE parameters for OpenID request object?
> 
> Thank you guys for going through the reg issues I posted yesterday.
> 
> The spec says that the OpenID request object can also be signed. Should we then also have optional reg parameters for specifying JWE alg and enc?
> 
> I.e. 
> 
> signed_request_object_alg
> encrypted_request_object_alg
> encrypted_request_object_enc
> 
> following the same pattern for the ID Token and UserInfo JWS/JWE
> parameters:
> 
> id_token_signed_response_alg
> id_token_encrypted_response_alg
> id_token_encrypted_response_enc
> 
> userinfo_signed_response_alg
> userinfo_encrypted_response_alg
> userinfo_encrypted_response_enc
> 
> 
> (I suppose the *_int is going to go away to match the latest JOSE changes).
> 
> 
> Thanks,
> 
> Vladimir
> 
> --
> Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list