[Openid-specs-ab] [Bitbucket] Issue #851: Messages 2.1.2.1 - Clarify that "none" is not an acceptable signature algorithm (openid/connect)

Mike Jones Michael.Jones at microsoft.com
Tue Jun 25 16:07:23 UTC 2013 

It’s a breaking change because clients currently conforming to Messages that always verify the ID Token signature would break if no signature is contained in the ID Token.

“none” is not a signature algorithm.  JWS and JWA are clear that this results in an unsigned, “plaintext JWS”, and JWT is clear that this results in a “plaintext JWT” – not a signed JWT.  Messages requires that ID Tokens be signed.  Sending an unsigned ID Token doesn’t fulfill this requirement.

This bug is about making the current meaning of the text – that ID Tokens must be signed – even more clear, so that developers who aren’t reading JWS closely won’t make the mistake of thinking that just because “none” can be used to create a JWS, that the resulting JWS is signed.  (Apparently you were one such developer – making the need for this clarification all the more evident. ☺)

                                                            -- Mike

From: Brian Campbell [mailto:issues-reply at bitbucket.org]
Sent: Tuesday, June 25, 2013 7:58 AM
To: Mike Jones
Subject: Re: [Bitbucket] Issue #851: Messages 2.1.2.1 - Clarify that "none" is not an acceptable signature algorithm (openid/connect)

[b_d_c]

Brian Campbell commented on issue #851:

Messages 2.1.2.1 - Clarify that "none" is not an acceptable signature algorithm<https://bitbucket.org/openid/connect/issue/851/messages-2121-clarify-that-none-is-not-an>


I disagree.

How would that be a breaking change? If a client is currently configured/registered for RS/EC/HS signature, how would allowing none as a different option be a breaking change?

Our implementation currently does allow none as an option (it will only send such an ID Token via the back-channel). Which is, I'll argue, a perfectly reasonable interpretation of what's been written. So explicitly disallowing it is a breaking for us.




View this issue<https://bitbucket.org/openid/connect/issue/851/messages-2121-clarify-that-none-is-not-an> or add a comment by replying to this email.


Unwatch this issue<https://bitbucket.org/openid/connect/issue/851/unwatch/mbj/f843d56eb7066d599d3972aaab0b00d200d1d4b4/> to stop receiving email updates.

[Bitbucket]<https://bitbucket.org>




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130625/62aeec47/attachment.html>

More information about the Openid-specs-ab mailing list