[Openid-specs-ab] Self-issued "sub" claim value ambiguity

[Mike Jones]

Good catch on the parameter names - thanks.  I'll fix this now.

                                                            -- Mike

From: John Bradley [mailto:ve7jtb at ve7jtb.com]
Sent: Wednesday, January 23, 2013 4:52 AM
To: Mike Jones
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Self-issued "sub" claim value ambiguity

To be consistent with JWK it should be the concatenation of the base64url encoded values.

It is probably worth mapping it to the JWK values like mod = n, exp = e we use them for EC.

On 2013-01-23, at 5:07 AM, Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>> wrote:


Standard 5.5<http://openid.net/specs/openid-connect-standard-1_0.html#self_issued.validation>, list item 5 says:
The Client MUST validate that the sub (subject) value is the base64url encoded SHA-256 hash of the concatenation of the key values in the user_jwk claim. When the alg value is RS256, the key values mod and exp are concatenated in that order. When the alg value is ES256, the key values crv, x and y are concatenated in that order.

This language leaves it ambiguous whether the concatenated key values in Standard 5.5 supposed to be the base64url encoded values or the raw key bytes?  Following the precedents in the JOSE specs, I assume that we would concatenate the base64url encoded values.  Unless I hear objections, I'll clarify the specs to say that.

                                                            Thanks,
                                                            -- Mike

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130123/3d01fa4c/attachment.html>