[Openid-specs-ab] JWA support

Mike Jones Michael.Jones at microsoft.com
Wed Sep 26 18:06:50 UTC 2012


Looking at http://openid.net/specs/openid-connect-messages-1_0.html#sigenc, I agree that the treatment of advertising supported algorithms is currently inconsistent.  The client has fine-grained control with the parameters
	{userinfo,id_token}_signed_response_alg and {userinfo,id_token}_encrypted_response_{alg,enc,int}
whereas the server jumbles the types of algorithms together with the parameters
	{userinfo,id_token,request_object,token_endpoint}_algs_supported.

I believe that we should give the server the same degree of control as the client.  I would propose these new server parameter names:
	{userinfo,id_token,request_object,token_endpoint}_signing_alg_values_supported
	{userinfo,id_token,request_object,token_endpoint}_encryption_{alg,enc}_values_supported

Do people agree with that proposal?

Notice that I didn't include an "int_values_supported" option.  That's because in the JOSE drafts to be published shortly, the "int" and "kdf" parameters are going away, with the "enc" value representing AEAD algorithms such as "A128CBC+HS256", "A256CBC+HS512", "A128GCM", and "A256GCM" (with combinations such as "A128CBC+HS256" used when the base block encryption algorithm is not already AEAD).

I don't propose to change the Connect spec until the JOSE changes are published, but I'll plan to do so at that time.  Until then, we can do interop on the current specs.  But implementers should be aware of the upcoming changes.

				Best wishes,
				-- Mike

-----Original Message-----
From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Roland Hedberg
Sent: Wednesday, September 26, 2012 4:37 AM
To: Roland Hedberg
Cc: openid-specs-ab at lists.openid.net Group
Subject: Re: [Openid-specs-ab] JWA support


26 sep 2012 kl. 13:09 skrev Roland Hedberg <roland.hedberg at adm.umu.se>:

> Hi,
> 
> an OIC OP can publish which encryption algorithms it supports using userinfo_algs_supported, id_token_algs_supported and request_object_algs_supported respectively.


or, looking at what the publicly available OPs publish, are you supposed to put alg, enc and int specifications in a jumble in these claims.

-- Roland
------------------------------------------------------
Roland Hedberg
IT Architect/Senior Researcher
ICT Services and System Development (ITS) Umeå University 
SE-901 87 Umeå, Sweden	
Phone +46 90 786 68 44
Mobile +46 70 696 68 44
www.its.umu.se 

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab




More information about the Openid-specs-ab mailing list