[Openid-specs-ab] why migration spec require "asymmetrically signed" id_token?

Mike Jones Michael.Jones at microsoft.com
Sun Nov 9 19:44:02 UTC 2014


I agree with you that the Migration spec shouldn't impose additional signing requirements on the ID Token.  Nov Matake raised that for the symmetric signature case in a separate message.  We should address this in the next version of the Migration spec.

				-- Mike

-----Original Message-----
From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Torsten Lodderstedt
Sent: Sunday, November 09, 2014 1:46 AM
To: nov matake; openid-specs-ab at lists.openid.net openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] why migration spec require "asymmetrically signed" id_token?

Hi Nov,

I don't think there is a need to limit ID token protection in the migration spec to asymmetric signatures. HMAC or TLS (for direct communication/grant type code) also work.

I therefore created a tracker issue to remove this constraint.

https://bitbucket.org/openid/connect/issue/964/id-token-protection-rules-already-defined

kind regards,
Torsten.

Am 06.11.2014 10:06, schrieb nov matake:
> Section 4 of migration spec says
>
> ==
> If the verification of the Relying Party was successful and an 
> associated OpenID 2.0 Identifier for the user is found, then the OP 
> MUST include the OpenID 2.0 Identifier in the asymmetrically signed ID 
> Token with the following claim name ==
>
> but I couldn't find the reason why it must be "asymmetric".
>
> ps.
> Yahoo! Japan uses HS256 in their Connect implementation, so the requirement might be hard for them to support migration spec.
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab


More information about the Openid-specs-ab mailing list