
<p>Hi</p>

<p>I agree with Anthony on that JWK will mean new tooling regardless. </p>

<p>But I personally don't think that the argument company X or Y have implemented PKI today and should be able to continue using it is a strong argument. </p>

<p>A standard, in my opinion, needs to be try to see beyond that and see what best solves the targeted problems.</p>

<p>The end result might be the same as the above but it will be for different reasons. </p>

<p>My opinion is only mandatory and no optional in this case. Regardless of x509 or JWK. </p>

<p>Thanks<br>

Magnus Andersson <br>

</p>

<div class="gmail_quote">Den 27 jul 2012 19:47 skrev "John Bradley" <<a href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>>:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div style="word-wrap:break-word">Without one being mandatory on the server the client needs to support both to be interoperable.<div><br></div><div>It is a case of pick your poison.</div><div><br></div><div>We could always go back to xmldsig we have tools for that as well:)</div>

<div><br></div><div>John B.<br><div><div>On 2012-07-27, at 10:36 AM, Anthony Nadalin wrote:</div><br><blockquote type="cite"><span style="border-collapse:separate;font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:medium"><div lang="EN-US" link="blue" vlink="purple">

<div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">If I have the tools already for x.509, why would I want to invest in another set of tools and have to work on them for years to get them to the point our x.509 tools are today? Not sure there should be a mandatory, there should be an equal option for both and you either implement one or the other oe both, but making JWK mandatory means everyone has to create new tooling and test the new tooling, etc.<u></u><u></u></span></div>

<div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></div>

<div><div style="border-right-style:none;border-bottom-style:none;border-left-style:none;border-width:initial;border-color:initial;border-top-style:solid;border-top-color:rgb(181,196,223);border-top-width:1pt;padding-top:3pt;padding-right:0in;padding-bottom:0in;padding-left:0in">

<div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><b><span style="font-size:10pt;font-family:Tahoma,sans-serif">From:</span></b><span style="font-size:10pt;font-family:Tahoma,sans-serif"><span> </span>John Bradley [mailto:<a href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>]<span> </span><br>

<b>Sent:</b><span> </span>Friday, July 27, 2012 10:18 AM<br><b>To:</b><span> </span>Magnus Andersson<br><b>Cc:</b><span> </span>Anthony Nadalin; <a href="mailto:openid-connect-interop@googlegroups.com" target="_blank">openid-connect-interop@googlegroups.com</a>; <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>; Edmund Jay<br>

<b>Subject:</b><span> </span>Re: [Openid-specs-ab] Mandatory JWK Support for OpenID Connect<u></u><u></u></span></div></div></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

<u></u> <u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">There are some use cases where the use of PKIX trust relationships may be required.  <u></u><u></u></div>

<div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

In the EU there may be reasons to publish a x.509 cert so that the signature on the id_token is qualified digital signature for non repudiation at higher LOA.<u></u><u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

<u></u> <u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">I don't think anyone wants to remove the x.509 option.   <u></u><u></u></div>

</div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

The question is if clients or servers MUST implement both, or if only one format needs to be mandatory for servers what should it be.<u></u><u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

<u></u> <u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">For simple clients JWK is arguably (I say that knowing Tony will argue) simpler to build as it doesn't need ASN1 parsing.   For servers x.509 certificates have existing tools.<u></u><u></u></div>

</div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

Our design principal to this point is for pushing complexity from clients to servers.<u></u><u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

<u></u> <u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">John B.<u></u><u></u></div><div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

On 2012-07-27, at 8:06 AM, Magnus Andersson wrote:<u></u><u></u></div></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><br>

<br><u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">Hi<u></u><u></u></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

<u></u> <u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">My name is Magnus I own a startup and I'm implementing OpenID Connect.<u></u><u></u></div>

<div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

As an implementor: if the JWK-format is mandatory, exactly what added value does optionally exposing x.509 certificates to the client give? <u></u><u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

<u></u> <u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">As long as the JWK is mandatory I personally don't see how optional x.509 certificates would simplify anything for those who have existing Public-key infrastructure. They still have to handle the JWK case and map that to their PKI.<u></u><u></u></div>

</div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

I recognize I don't know all the history in this matter. But could the option to choose only JWK (as it is already deemed mandatory) and skip x.509 be added, to balance out the current options?  <u></u><u></u></div></div>

<div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

BR Magnus Andersson<u></u><u></u></div></div><div><p class="MsoNormal" style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:12pt;font-size:12pt;font-family:'Times New Roman',serif">Solvies AB<u></u><u></u></p>

<div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">2012/7/27 John Bradley <<a href="mailto:ve7jtb@ve7jtb.com" style="color:blue;text-decoration:underline" target="_blank">ve7jtb@ve7jtb.com</a>><u></u><u></u></div>

<div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">Extracting a key from a certificate is not that hard, to make a JWK out of it.  <u></u><u></u></div>

<div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

We can likely automate that.   People who want to support x509 are free to do that it is just not mandatory for the client.   For the basic client using the code flow there is no MTI,  for the implicit flow  JWK is MTI if you want general support.  I suppose if a client just wants to talk to a specific IDP it could just do x509 if that is supported.<u></u><u></u></div>

</div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

The options are.<u></u><u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">1 Client must support both and server chooses<u></u><u></u></div>

</div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">2 Server must support both and client chooses<u></u><u></u></div></div>

<div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">3 Server must support one and the other is optional.<u></u><u></u></div></div>

<div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

Tony are you saying you prefer 1 or 2, or 3 your preference but making x.509 the default.<u></u><u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

<u></u> <u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">There are advantages and disadvantages to picking JWK as the default.  <u></u><u></u></div>

</div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

It is true that most common tools like openSSL easily produce self signed certificates.<u></u><u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

On the other hand they expire and create run time issues later because some people may try and do PKIX processing on them.  <u></u><u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

<u></u> <u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">This is a continual debate in SAML over raw keys vs certificates.   Many federations think raw keys cause less support issues over time.<u></u><u></u></div>

</div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

Thoughts?<u></u><u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

John B.<u></u><u></u></div></div><div><div><div><div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">On 2012-07-26, at 9:43 PM, Anthony Nadalin wrote:<u></u><u></u></div>

</div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div></div></div><blockquote style="margin-top:5pt;margin-bottom:5pt">

<div><div><div><div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">This creates problems with folks that already have a PIK infrastructure and want to use existing keys</span><u></u><u></u></div>

</div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span><u></u><u></u></div>

</div><div><div style="border-right-style:none;border-bottom-style:none;border-left-style:none;border-width:initial;border-color:initial;border-top-style:solid;padding-top:3pt;padding-right:0in;padding-bottom:0in;padding-left:0in;border-width:initial;border-color:initial">

<div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><b><span style="font-size:10pt;font-family:Tahoma,sans-serif">From:</span></b><span style="font-size:10pt;font-family:Tahoma,sans-serif"> Edmund Jay [mailto:<a href="mailto:ejay@mgi1.com" style="color:blue;text-decoration:underline" target="_blank">ejay@mgi1.com</a>] <br>

<b>Sent:</b> Thursday, July 26, 2012 3:11 PM<br><b>To:</b> Anthony Nadalin;<span> </span><a href="mailto:openid-specs-ab@lists.openid.net" style="color:blue;text-decoration:underline" target="_blank">openid-specs-ab@lists.openid.net</a>;<span> </span><a href="mailto:openid-connect-interop@googlegroups.com" style="color:blue;text-decoration:underline" target="_blank">openid-connect-interop@googlegroups.com</a><br>

<b>Subject:</b> Re: [Openid-specs-ab] Mandatory JWK Support for OpenID Connect</span><u></u><u></u></div></div></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

 <u></u><u></u></div></div><div><div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:10pt;font-family:Tahoma,sans-serif">This is in reference to the open issue # 633 at <a href="http://hg.openid.net/connect/issue/633/messages-42-jwk-and-x509-format-support" style="color:blue;text-decoration:underline" target="_blank">http://hg.openid.net/connect/issue/633/messages-42-jwk-and-x509-format-support</a><br>

The specs currently support x509 and JWK format for publishing public keys but is silent on which must be supported.<br>There may be interop problems related to cryptographic aspects of OpenID due to lack of common support between client and server.<br>

<br>-- Edmund</span><u></u><u></u></div></div></div><div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:10pt;font-family:Tahoma,sans-serif"> </span><u></u><u></u></div>

</div><div><div class="MsoNormal" align="center" style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif;text-align:center"><span style="font-size:10pt;font-family:Tahoma,sans-serif"><hr size="1" width="100%" align="center">

</span></div><p class="MsoNormal" style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:12pt;font-size:12pt;font-family:'Times New Roman',serif"><b><span style="font-size:10pt;font-family:Tahoma,sans-serif">From:</span></b><span style="font-size:10pt;font-family:Tahoma,sans-serif"> Anthony Nadalin <<a href="mailto:tonynad@microsoft.com" style="color:blue;text-decoration:underline" target="_blank">tonynad@microsoft.com</a>><br>

<b>To:</b> Edmund Jay <<a href="mailto:ejay@mgi1.com" style="color:blue;text-decoration:underline" target="_blank">ejay@mgi1.com</a>>; "<a href="mailto:openid-specs-ab@lists.openid.net" style="color:blue;text-decoration:underline" target="_blank">openid-specs-ab@lists.openid.net</a>" <<a href="mailto:openid-specs-ab@lists.openid.net" style="color:blue;text-decoration:underline" target="_blank">openid-specs-ab@lists.openid.net</a>>; "<a href="mailto:openid-connect-interop@googlegroups.com" style="color:blue;text-decoration:underline" target="_blank">openid-connect-interop@googlegroups.com</a>" <<a href="mailto:openid-connect-interop@googlegroups.com" style="color:blue;text-decoration:underline" target="_blank">openid-connect-interop@googlegroups.com</a>><br>

<b>Sent:</b> Thu, July 26, 2012 1:46:41 PM<br><b>Subject:</b> RE: [Openid-specs-ab] Mandatory JWK Support for OpenID Connect</span><u></u><u></u></p><div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

<span style="font-size:11pt;color:rgb(31,73,125)">Can you provide the rationale or a pointer to the rationale?</span><u></u><u></u></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

<span style="font-size:11pt;color:rgb(31,73,125)"> </span><u></u><u></u></div></div><div><div style="border-right-style:none;border-bottom-style:none;border-left-style:none;border-width:initial;border-color:initial;border-top-style:solid;padding-top:3pt;padding-right:0in;padding-bottom:0in;padding-left:0in;border-width:initial;border-color:initial">

<div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><b><span style="font-size:10pt">From:</span></b><span style="font-size:10pt"> <a href="mailto:openid-specs-ab-bounces@lists.openid.net" style="color:blue;text-decoration:underline" target="_blank">openid-specs-ab-bounces@lists.openid.net</a> <a href="mailto:[mailto:openid-specs-ab-bounces@lists.openid.net]" style="color:blue;text-decoration:underline" target="_blank">[mailto:openid-specs-ab-bounces@lists.openid.net]</a> <b>On Behalf Of </b>Edmund Jay<br>

<b>Sent:</b> Thursday, July 26, 2012 11:58 AM<br><b>To:</b> <a href="mailto:openid-specs-ab@lists.openid.net" style="color:blue;text-decoration:underline" target="_blank">openid-specs-ab@lists.openid.net</a>; <a href="mailto:openid-connect-interop@googlegroups.com" style="color:blue;text-decoration:underline" target="_blank">openid-connect-interop@googlegroups.com</a><br>

<b>Subject:</b> [Openid-specs-ab] Mandatory JWK Support for OpenID Connect</span><u></u><u></u></div></div></div></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

 <u></u><u></u></div></div><div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:10pt">This is to inform everyone that the Working Group has decided to make JWK support mandatory for both the client and server.<br>

Feedbacks welcome.<br><br><br>-- Edmund</span><u></u><u></u></div></div></div></div></div></div></div></div></div></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

<span style="font-size:13.5pt;font-family:Helvetica,sans-serif">_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" style="color:blue;text-decoration:underline" target="_blank">Openid-specs-ab@lists.openid.net</a><br>

<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" style="color:blue;text-decoration:underline" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><u></u><u></u></span></div></div>

</blockquote></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div></div></div><p class="MsoNormal" style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:12pt;font-size:12pt;font-family:'Times New Roman',serif">

<br>_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" style="color:blue;text-decoration:underline" target="_blank">Openid-specs-ab@lists.openid.net</a><br>

<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" style="color:blue;text-decoration:underline" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><u></u><u></u></p></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

<u></u> <u></u></div><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">

<u></u> <u></u></div></div></div></div><p class="MsoNormal" style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"></p></div></div></div></span></blockquote>

</div><br></div></div></blockquote></div>