[Openid-specs-ab] OpenID Connect and Identity Delegation

Mike Jones Michael.Jones at microsoft.com
Thu Mar 28 23:52:36 UTC 2013


Changing hands doesn't mean that it's authorized.  It just means that the token has been leaked to an unauthorized party.

                                                                -- Mike

From: Nat Sakimura [mailto:sakimura at gmail.com]
Sent: Thursday, March 28, 2013 4:51 PM
To: Mike Jones
Cc: Tim Bray; openid-specs-ab
Subject: Re: [Openid-specs-ab] OpenID Connect and Identity Delegation

Which is not the case that it may sometime change the hand. The name bearer suggests otherwise as well. Bearer is whoever has it.

>From Oxford Dictionary:

1a person or thing that carries or holds something:
2a person who presents a cheque or other order to pay money:

And here is a description of "bearer bond" from wikipedia:

A bearer bond is a debt security issued by a business entity, such as a corporation, or by a government. It differs from the more common types of investment securities in that it is unregistered - no records are kept of the owner, or the transactions involving ownership. Whoever physically holds the paper on which the bond is issued owns the instrument<http://en.wikipedia.org/wiki/Financial_instrument>. This is useful for investors<http://en.wikipedia.org/wiki/Investor> who wish to retain anonymity. Recovery of the value of a bearer bond in the event of its loss, theft, or destruction is usually impossible.

At the same time, bearer is more privacy preserving in some sense. In a "registered token", i.e., token with the "azp", it is impossible to hide who is presenting it.

Nat
2013/3/29 Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>>
I think I disagree with this statement.  I had thought that without an "azp" claim, there is exactly one authorized presenter - the client that requested the token.

All of this discussion does point out that "azp" truly is underspecified - which was Brian's primary observation.  Otherwise we wouldn't have experts who wrote the specs with different views on what the claim means.

                                                                -- Mike

From: Nat Sakimura [mailto:sakimura at gmail.com<mailto:sakimura at gmail.com>]
Sent: Thursday, March 28, 2013 4:26 PM
To: Tim Bray
Cc: Mike Jones; openid-specs-ab

Subject: Re: [Openid-specs-ab] OpenID Connect and Identity Delegation

+1 ID Token without azp is equivalent to say, "azp":"*". That's what we call as bearer. In essence, azp is scoping the "from" and aud is scoping the "to".

As to the text itself is concerned, there has been a request from Breno on the text, however, and we should take that into account as well.

Nat


2013/3/29 Tim Bray <tbray at textuality.com<mailto:tbray at textuality.com>>
I agree with Mike's characterization. Why not include that exact sentence in the spec?

On Thu, Mar 28, 2013 at 11:06 AM, Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>> wrote:
An audience is a party that the token can be legally presented to.  The authorized presenter (azp) is a party that can legally present the token to those audiences.

                                                                -- Mike

From: openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net> [mailto:openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net>] On Behalf Of Brian Campbell
Sent: Thursday, March 28, 2013 11:00 AM
To: Matias Woloski
Cc: openid-specs-ab
Subject: Re: [Openid-specs-ab] OpenID Connect and Identity Delegation


On Thu, Mar 28, 2013 at 11:55 AM, Matias Woloski <matiasw at gmail.com<mailto:matiasw at gmail.com>> wrote:


  *   What is the difference between having multiple audiences vs using azp?

FWIW, I've long had the same question.  Which is mentioned, among others about azp, in https://bitbucket.org/openid/connect/issue/830/what-is-azp-really

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab


_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab



--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en



--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130328/854037cd/attachment-0001.html>


More information about the Openid-specs-ab mailing list