[Openid-specs-ab] [Bitbucket] Issue #851: Messages 2.1.2.1 - Clarify that "none" is not an acceptable signature algorithm (openid/connect)

[Brian Campbell]

Actually id_token_signed_response_alg in Registration says that none "*MAY
NOT* be used as the ID Token alg value."  That needs to be fixed regardless
of the outcome of this conversation.

The MAY/MUST typo aside, I'd missed that piece in Registration a few months
ago when I was implementing that stuff. Or maybe it's changed since. I'm
not sure. But that's how my software works now and I'm not really in a good
position to change it. I can see reason to preclude it and I can see reason
to allow it. But I've already done the latter so I guess I'd vote for
Mike's #2.

For what it's worth, id_token_signing_alg_values_supported in Discovery
doesn't preclude none. Should it? Or is one expected to infer that from
reading Registration?

I realize the ship has already sailed on this but having normative
requirements around the same functionality scattered across so many
documents makes reading, reviewing, comprehending and implementing these
very very difficult (probably writing them too).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130627/98c3b9d8/attachment.html>