[Openid-specs-ab] Issue #851: Messages 2.1.2.1 - Clarify that "none" is not an acceptable signature algorithm (openid/connect)

Michael Jones issues-reply at bitbucket.org
Thu Jun 20 20:39:40 UTC 2013


New issue 851: Messages 2.1.2.1 - Clarify that "none" is not an acceptable signature algorithm
https://bitbucket.org/openid/connect/issue/851/messages-2121-clarify-that-none-is-not-an

Michael Jones:

http://openid.net/specs/openid-connect-messages-1_0.html#id_token says:

ID Tokens MUST be signed using JWS [JWS] and OPTIONALLY both signed and then encrypted using JWS [JWS] and JWE [JWE] respectively, thereby providing authentication, integrity, non-repudiation, and optionally, confidentiality, per Section 9.13 (Signing and Encryption Order).

I was recently asked whether "none" was an acceptable algorithm to use for this signature.  While obvious, I believe that we should explicitly rule it out in the final versions of the specifications.




More information about the Openid-specs-ab mailing list