[Openid-specs-ab] [Bitbucket] Issue #851: Messages 2.1.2.1 - Clarify that "none" is not an acceptable signature algorithm (openid/connect)

[Mike Jones]

Agreed about the scattered requirements.  More than one of the editorial fixes we're applying (including both this one and the "acr_values" clarification) one are due to incomplete stories being told in different places.  We're trying to clean that up so that each place tells a complete enough story to be useful on its own.

                                                            -- Mike

From: Brian Campbell [mailto:bcampbell at pingidentity.com]
Sent: Thursday, June 27, 2013 12:39 PM
To: John Bradley
Cc: Mike Jones; openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] [Bitbucket] Issue #851: Messages 2.1.2.1 - Clarify that "none" is not an acceptable signature algorithm (openid/connect)

Actually id_token_signed_response_alg in Registration says that none "MAY NOT be used as the ID Token alg value."  That needs to be fixed regardless of the outcome of this conversation.

The MAY/MUST typo aside, I'd missed that piece in Registration a few months ago when I was implementing that stuff. Or maybe it's changed since. I'm not sure. But that's how my software works now and I'm not really in a good position to change it. I can see reason to preclude it and I can see reason to allow it. But I've already done the latter so I guess I'd vote for Mike's #2.

For what it's worth, id_token_signing_alg_values_supported in Discovery doesn't preclude none. Should it? Or is one expected to infer that from reading Registration?
I realize the ship has already sailed on this but having normative requirements around the same functionality scattered across so many documents makes reading, reviewing, comprehending and implementing these very very difficult (probably writing them too).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130627/df18046c/attachment.html>