<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">

<meta name="Generator" content="Microsoft Word 14 (filtered medium)">

<base href="x-msg://951/"><style><!--

/* Font Definitions */

@font-face

        {font-family:Helvetica;

        panose-1:2 11 6 4 2 2 2 2 2 4;}

@font-face

        {font-family:Helvetica;

        panose-1:2 11 6 4 2 2 2 2 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

        {font-family:Tahoma;

        panose-1:2 11 6 4 3 5 4 4 2 4;}

@font-face

        {font-family:Verdana;

        panose-1:2 11 6 4 3 5 4 4 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman","serif";}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {mso-style-priority:99;

        color:purple;

        text-decoration:underline;}

tt

        {mso-style-priority:99;

        font-family:"Courier New";}

span.apple-converted-space

        {mso-style-name:apple-converted-space;}

span.EmailStyle19

        {mso-style-type:personal-reply;

        font-family:"Calibri","sans-serif";

        color:#1F497D;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-size:10.0pt;}

@page WordSection1

        {size:8.5in 11.0in;

        margin:1.0in 1.0in 1.0in 1.0in;}

div.WordSection1

        {page:WordSection1;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

</head>

<body lang="EN-US" link="blue" vlink="purple">

<div class="WordSection1">

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Good catch on the parameter names – thanks.  I’ll fix this now.<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">                                                            -- Mike<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<div>

<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> John Bradley [mailto:ve7jtb@ve7jtb.com]

<br>

<b>Sent:</b> Wednesday, January 23, 2013 4:52 AM<br>

<b>To:</b> Mike Jones<br>

<b>Cc:</b> openid-specs-ab@lists.openid.net<br>

<b>Subject:</b> Re: [Openid-specs-ab] Self-issued "sub" claim value ambiguity<o:p></o:p></span></p>

</div>

</div>

<p class="MsoNormal"><o:p> </o:p></p>

<p class="MsoNormal">To be consistent with JWK it should be the concatenation of the base64url encoded values.<o:p></o:p></p>

<div>

<p class="MsoNormal"><o:p> </o:p></p>

</div>

<div>

<p class="MsoNormal">It is probably worth mapping it to the JWK values like mod = n, exp = e we use them for EC.<o:p></o:p></p>

</div>

<div>

<p class="MsoNormal"><o:p> </o:p></p>

<div>

<div>

<p class="MsoNormal">On 2013-01-23, at 5:07 AM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>> wrote:<o:p></o:p></p>

</div>

<p class="MsoNormal"><br>

<br>

<o:p></o:p></p>

<div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><a href="http://openid.net/specs/openid-connect-standard-1_0.html#self_issued.validation"><span style="color:purple">Standard 5.5</span></a>, list item 5 says:<o:p></o:p></span></p>

</div>

<div style="margin-left:.5in">

<p class="MsoNormal"><span lang="EN" style="font-size:11.0pt;font-family:"Verdana","sans-serif"">The Client MUST validate that the<span class="apple-converted-space"> </span></span><tt><span lang="EN" style="color:#003366">sub</span></tt><span class="apple-converted-space"><span lang="EN" style="font-size:11.0pt;font-family:"Verdana","sans-serif""> </span></span><span lang="EN" style="font-size:11.0pt;font-family:"Verdana","sans-serif"">(subject)

value is the base64url encoded SHA-256 hash of the concatenation of the key values in the<span class="apple-converted-space"> <tt><span lang="EN" style="color:#003366">user_jwk</tt><span class="apple-converted-space"><span lang="EN" style="font-size:11.0pt;font-family:"Verdana","sans-serif""> <span lang="EN" style="font-size:11.0pt;font-family:"Verdana","sans-serif"">claim.

 When the<span class="apple-converted-space"> </span></span><tt><span lang="EN" style="color:#003366">alg</span></tt><span class="apple-converted-space"><span lang="EN" style="font-size:11.0pt;font-family:"Verdana","sans-serif""> </span></span><span lang="EN" style="font-size:11.0pt;font-family:"Verdana","sans-serif"">value

 is<span class="apple-converted-space"> </span></span><tt><span lang="EN" style="color:#003366">RS256</span></tt><span lang="EN" style="font-size:11.0pt;font-family:"Verdana","sans-serif"">, the key values<span class="apple-converted-space"> </span></span><tt><span lang="EN" style="color:#003366">mod</span></tt><span class="apple-converted-space"><span lang="EN" style="font-size:11.0pt;font-family:"Verdana","sans-serif""> </span></span><span lang="EN" style="font-size:11.0pt;font-family:"Verdana","sans-serif"">and<span class="apple-converted-space"> </span></span><tt><span lang="EN" style="color:#003366">exp</span></tt><span class="apple-converted-space"><span lang="EN" style="font-size:11.0pt;font-family:"Verdana","sans-serif""> </span></span><span lang="EN" style="font-size:11.0pt;font-family:"Verdana","sans-serif"">are

 concatenated in that order. When the<span class="apple-converted-space"> </span></span><tt><span lang="EN" style="color:#003366">alg</span></tt><span class="apple-converted-space"><span lang="EN" style="font-size:11.0pt;font-family:"Verdana","sans-serif""> </span></span><span lang="EN" style="font-size:11.0pt;font-family:"Verdana","sans-serif"">value

 is<span class="apple-converted-space"> </span></span><tt><span lang="EN" style="color:#003366">ES256</span></tt><span lang="EN" style="font-size:11.0pt;font-family:"Verdana","sans-serif"">, the key values<span class="apple-converted-space"> </span></span><tt><span lang="EN" style="color:#003366">crv</span></tt><span lang="EN" style="font-size:11.0pt;font-family:"Verdana","sans-serif"">,<span class="apple-converted-space"> </span></span><tt><span lang="EN" style="color:#003366">x</span></tt><span class="apple-converted-space"><span lang="EN" style="font-size:11.0pt;font-family:"Verdana","sans-serif""> </span></span><span lang="EN" style="font-size:11.0pt;font-family:"Verdana","sans-serif"">and<span class="apple-converted-space"> </span></span><tt><span lang="EN" style="color:#003366">y</span></tt><span class="apple-converted-space"><span lang="EN" style="font-size:11.0pt;font-family:"Verdana","sans-serif""> </span></span><span lang="EN" style="font-size:11.0pt;font-family:"Verdana","sans-serif"">are

 concatenated in that order.</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">This language leaves it ambiguous whether the concatenated key values in Standard 5.5 supposed to be the base64url encoded values or the raw key bytes?  Following the precedents

 in the JOSE specs, I assume that we would concatenate the base64url encoded values.  Unless I hear objections, I’ll clarify the specs to say that.<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">                                                            Thanks,<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">                                                            -- Mike<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>

</div>

<p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Helvetica","sans-serif"">_______________________________________________<br>

Openid-specs-ab mailing list<br>

<a href="mailto:Openid-specs-ab@lists.openid.net"><span style="color:purple">Openid-specs-ab@lists.openid.net</span></a><br>

<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"><span style="color:purple">http://lists.openid.net/mailman/listinfo/openid-specs-ab</span></a><o:p></o:p></span></p>

</div>

</div>

<p class="MsoNormal"><o:p> </o:p></p>

</div>

</div>

</body>

</html>