[Openid-specs-ab] Feedback to OpenID Connect Claims Aggregation 1.0

[Takahiko Kawasaki]

Hello,

This is the first feedback from me to "OpenID Connect Claims Aggregation
1.0" as requested in the last AB/Connect WG call on Nov 9.

- - - - - - - - - -

- Section 5.3: I'm not sure RS256 is appropriate as the default value for
claims_signed_response_alg. FAPI Part 2 Section 8.6 explicitly prohibits
the algorithm for security reasons.

- Section 5.4.2: Without diagrams and examples, it is difficult for me to
understand how "uid" and "cp_sub" are used for what reasons.

- Section 5.6.1: Why is it necessary to define "uid" request parameter? It
seems that the "uid" request parameter would make it possible to get
information about an arbitrary end-user who is different from the
legitimate one that is associated with the presented access token.

- Section 5.6.1: Why is it necessary to list "additional" client
identifiers in "aud"? It seems that the "aud" request parameter would make
it possible to add arbitrary client identifiers in addition to the
legitimate one that is associated with the presented access token. It seems
the description was added intentionally, but I'm not sure it's safe from a
security perspective.

- "uid": In Section 5.4.2, "uid" is the thumbprint of a public key. On the
other hand, in Section 5.6.1, "uid" is an end-user's identifier. Using the
same parameter name with different meanings is confusing.

- Section 5.6.2: The 6th paragraph ("If the Aggregation Response is signed
and/or encrypted...") contradicts with other parts in the specification
itself. The specification requires that responses from Claims Endpoint
always be signed and optionally encrypted.

Editorial Issues
- "http" is used in some links.
- Link to RFC 7636 is wrong.
- Links to JW* specifications are old. They should point to IETF RFCs.
- Link to MTLS is old. It should point to the IETF RFC 8705.
- Referenced OpenID.IDA specification is not the latest one. The published
latest version is ID2.
- The list in Section 1 is not properly formatted in HTML.
- Parameter names should be monospace instead of italic.
- Section 5.4: s/Code Authorization Flow/Authorization Code Flow/
- Section 5.6.1: JSON object given to "aud" in the Aggregation Request is
wrong.
- Section 5.6.2: s/MAY elect to/MAY select to/
- More diagrams and examples are needed for readers.

To be honest, I couldn't understand the specification well due to its
complexity and lack of diagrams and examples. What is the essential
difference between UserInfo Endpoint and Claims Endpoint?

Best Regards,
Takahiko Kawasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20201117/ac422644/attachment.html>