<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
tt
{mso-style-priority:99;
font-family:"Courier New";
color:#003366;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">FYI, so that the specs aren’t ambiguous, I’ve changed the text “the concatenation of the key values” to “the concatenation of the bytes of the UTF-8 representations of the base64url encoded key values”. This
could be changed if the working group prefers concatenating the key bytes (which would require base64url decoding the JWK values).
</span><span style="color:red">People who have implemented self-issued code, please comment!</span><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> -- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> openid-specs-ab-bounces@lists.openid.net [mailto:openid-specs-ab-bounces@lists.openid.net]
<b>On Behalf Of </b>Mike Jones<br>
<b>Sent:</b> Tuesday, January 22, 2013 9:07 PM<br>
<b>To:</b> openid-specs-ab@lists.openid.net<br>
<b>Subject:</b> [Openid-specs-ab] Self-issued "sub" claim value ambiguity<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><a href="http://openid.net/specs/openid-connect-standard-1_0.html#self_issued.validation">Standard 5.5</a>, list item 5 says:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span lang="EN" style="font-family:"Verdana","sans-serif";color:black">The Client MUST validate that the
</span><tt><span lang="EN" style="font-size:12.0pt">sub</span></tt><span lang="EN" style="font-family:"Verdana","sans-serif";color:black"> (subject) value is the base64url encoded SHA-256 hash of the concatenation of the key values in the
</span><tt><span lang="EN" style="font-size:12.0pt">user_jwk</span></tt><span lang="EN" style="font-family:"Verdana","sans-serif";color:black"> claim. When the
</span><tt><span lang="EN" style="font-size:12.0pt">alg</span></tt><span lang="EN" style="font-family:"Verdana","sans-serif";color:black"> value is
</span><tt><span lang="EN" style="font-size:12.0pt">RS256</span></tt><span lang="EN" style="font-family:"Verdana","sans-serif";color:black">, the key values
</span><tt><span lang="EN" style="font-size:12.0pt">mod</span></tt><span lang="EN" style="font-family:"Verdana","sans-serif";color:black"> and
</span><tt><span lang="EN" style="font-size:12.0pt">exp</span></tt><span lang="EN" style="font-family:"Verdana","sans-serif";color:black"> are concatenated in that order. When the
</span><tt><span lang="EN" style="font-size:12.0pt">alg</span></tt><span lang="EN" style="font-family:"Verdana","sans-serif";color:black"> value is
</span><tt><span lang="EN" style="font-size:12.0pt">ES256</span></tt><span lang="EN" style="font-family:"Verdana","sans-serif";color:black">, the key values
</span><tt><span lang="EN" style="font-size:12.0pt">crv</span></tt><span lang="EN" style="font-family:"Verdana","sans-serif";color:black">,
</span><tt><span lang="EN" style="font-size:12.0pt">x</span></tt><span lang="EN" style="font-family:"Verdana","sans-serif";color:black"> and
</span><tt><span lang="EN" style="font-size:12.0pt">y</span></tt><span lang="EN" style="font-family:"Verdana","sans-serif";color:black"> are concatenated in that order.</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This language leaves it ambiguous whether the concatenated key values in Standard 5.5 supposed to be the base64url encoded values or the raw key bytes? Following the precedents in the JOSE specs, I assume that we would concatenate the
base64url encoded values. Unless I hear objections, I’ll clarify the specs to say that.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> Thanks,<o:p></o:p></p>
<p class="MsoNormal"> -- Mike<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>