[Openid-specs-ab] Issue #1424: Explicit protocol version identification etc. (openid/connect)

[Nat]

New issue 1424: Explicit protocol version identification etc.
https://bitbucket.org/openid/connect/issues/1424/explicit-protocol-version-identification

Nat Sakimura:

For an authentication protocol, it is known to be a good practice to have a way for a message receiver to find out the protocol versions and message position in the sequence so that it can find out if the message is legitimate. 

Following is the advice given in the BCM paper \(see reference below\)

> P1  Positional tagging. Cryptographic message components should contain information that     uniquely identities their origin. In particular, the information should     identify the protocol, the protocol variant, the message number, and the particular position within the message, from which the component was sent.
>
> P2 Inclusion of identities and their roles. Each cryptographic message component should include information about      the identities of all the agents involved in the protocol run and their roles, unless there is a compelling reason to do otherwise.

Not that I can come up with an attack right now, since this is a new protocol, it might be a good idea to follow the practice. 

Reference: 

**B**asin, D., **C**remers, C., **M**eier, S.: Provably Repairing the ISO/IEC 9798 Standard for Entity Authentication. Journal of Computer Security - Security and Trust Principles Archive Volume 21 Issue 6, 817-846 \(2013\)