[Openid-specs-ab] c_hash and at_hash appear to be underspecified

Wed May 15 09:01:31 UTC 2013

The specs use the language "hashing the "access_token"" and "hashing the "code"" when defining the at_hash and c_hash computations.  As I see it, the value to be hashed could be any of:

A.  The bytes of the ASCII representation access_token/code (which is the same as the UTF-8 representation because only ASCII characters may be used)
B.  The bytes of the little-endian UTF-16 representation of the access_token/code
C.  The bytes of the big-endian UTF-16 representation of the access_token/code

I assume that A is what people are actually doing, but I wanted to confirm that before clarifying the computation in the specifications.

                                                            -- Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130515/2c67b623/attachment.html>