[Openid-specs-ab] Issue #851: Messages 184.108.40.206 - Clarify that "none" is not an acceptable signature algorithm (openid/connect)
issues-reply at bitbucket.org
Thu Jun 20 20:39:40 UTC 2013
New issue 851: Messages 220.127.116.11 - Clarify that "none" is not an acceptable signature algorithm
ID Tokens MUST be signed using JWS [JWS] and OPTIONALLY both signed and then encrypted using JWS [JWS] and JWE [JWE] respectively, thereby providing authentication, integrity, non-repudiation, and optionally, confidentiality, per Section 9.13 (Signing and Encryption Order).
I was recently asked whether "none" was an acceptable algorithm to use for this signature. While obvious, I believe that we should explicitly rule it out in the final versions of the specifications.
More information about the Openid-specs-ab