[Openid-specs-ab] OpenID Connect and Identity Delegation

Nat Sakimura sakimura at gmail.com
Thu Mar 28 23:50:54 UTC 2013


Which is not the case that it may sometime change the hand. The name bearer
suggests otherwise as well. Bearer is whoever has it.

>From Oxford Dictionary:

1a person or thing that carries or holds something:
2a person who presents a cheque or other order to pay money:


And here is a description of "bearer bond" from wikipedia:

A *bearer bond* is a debt security issued by a business entity, such as a
corporation, or by a government. It differs from the more common types of
investment securities in that it is unregistered – no records are kept of
the owner, or the transactions involving ownership. Whoever physically
holds the paper on which the bond is issued owns the
instrument<http://en.wikipedia.org/wiki/Financial_instrument>.
This is useful for investors <http://en.wikipedia.org/wiki/Investor> who
wish to retain anonymity. Recovery of the value of a bearer bond in the
event of its loss, theft, or destruction is usually impossible.


At the same time, bearer is more privacy preserving in some sense. In a
"registered token", i.e., token with the "azp", it is impossible to hide
who is presenting it.

Nat

2013/3/29 Mike Jones <Michael.Jones at microsoft.com>

>  I think I disagree with this statement.  I had thought that without an
> “azp” claim, there is exactly one authorized presenter – the client that
> requested the token.****
>
> ** **
>
> All of this discussion does point out that “azp” truly is underspecified –
> which was Brian’s primary observation.  Otherwise we wouldn’t have experts
> who wrote the specs with different views on what the claim means.****
>
> ** **
>
>                                                                 -- Mike***
> *
>
> ** **
>
> *From:* Nat Sakimura [mailto:sakimura at gmail.com]
> *Sent:* Thursday, March 28, 2013 4:26 PM
> *To:* Tim Bray
> *Cc:* Mike Jones; openid-specs-ab
>
> *Subject:* Re: [Openid-specs-ab] OpenID Connect and Identity Delegation***
> *
>
> ** **
>
> +1 ID Token without azp is equivalent to say, "azp":"*". That's what we
> call as bearer. In essence, azp is scoping the "from" and aud is scoping
> the "to". ****
>
> ** **
>
> As to the text itself is concerned, there has been a request from Breno on
> the text, however, and we should take that into account as well. ****
>
> ** **
>
> Nat****
>
> ** **
>
> ** **
>
> 2013/3/29 Tim Bray <tbray at textuality.com>****
>
> I agree with Mike’s characterization. Why not include that exact sentence
> in the spec?****
>
> ** **
>
> On Thu, Mar 28, 2013 at 11:06 AM, Mike Jones <Michael.Jones at microsoft.com>
> wrote:****
>
>   An audience is a party that the token can be legally presented to.  The
> authorized presenter (azp) is a party that can legally present the token to
> those audiences.****
>
>  ****
>
>                                                                 -- Mike***
> *
>
>  ****
>
> *From:* openid-specs-ab-bounces at lists.openid.net [mailto:
> openid-specs-ab-bounces at lists.openid.net] *On Behalf Of *Brian Campbell
> *Sent:* Thursday, March 28, 2013 11:00 AM
> *To:* Matias Woloski
> *Cc:* openid-specs-ab
> *Subject:* Re: [Openid-specs-ab] OpenID Connect and Identity Delegation***
> *
>
>  ****
>
>  ****
>
> On Thu, Mar 28, 2013 at 11:55 AM, Matias Woloski <matiasw at gmail.com>
> wrote:****
>
>  ****
>
>    - What is the difference between having multiple audiences vs using
>    azp?****
>
>    ****
>
> FWIW, I've long had the same question.  Which is mentioned, among others
> about azp, in
> https://bitbucket.org/openid/connect/issue/830/what-is-azp-really  ****
>
> ** **
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab****
>
>  ** **
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab****
>
>
>
> ****
>
> ** **
>
> --
> Nat Sakimura (=nat)****
>
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en****
>



-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130329/d1b8bb49/attachment.html>


More information about the Openid-specs-ab mailing list