<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jun 25, 2013 at 10:07 AM, Mike Jones <span dir="ltr"><<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class=""><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">It’s a breaking change because clients currently conforming to Messages that always verify the ID Token signature would break if no signature is contained in
the ID Token.<u></u><u></u></span></p>
<p class=""><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"><u></u> </span></p></div></div></blockquote><div><br></div><div>And any such client would already be registered or configured for one of the other algorithms and wouldn't receive a token with the "none" algorithm. That breaking change situation wouldn't occur. <br>
</div><div><br> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div link="blue" vlink="purple" lang="EN-US"><div><p class=""><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"><u></u></span></p>
<p class=""><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">“none” is not a signature algorithm. JWS and JWA are clear that this results in an unsigned, “plaintext JWS”, and JWT is clear that this results in a “plaintext
JWT” – not a signed JWT. Messages requires that ID Tokens be signed. Sending an unsigned ID Token doesn’t fulfill this requirement.<u></u><u></u></span></p>
<p class=""><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"> </span> <br></p></div></div></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US"><div><p class=""><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"><u></u></span></p>
<p class=""><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">This bug is about making the current meaning of the text – that ID Tokens must be signed – even more clear, so that developers who aren’t reading JWS closely
won’t make the mistake of thinking that just because “none” can be used to create a JWS, that the resulting JWS is signed. (Apparently you were one such developer – making the need for this clarification all the more evident.
</span><span style="font-size:11pt;font-family:Wingdings;color:rgb(31,73,125)">J</span><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">)<u></u><u></u></span></p>
<p class=""><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"> </span></p></div></div></blockquote><div><br></div><div>I guess we agree that it's not at all clear as it currently written. Yes "none" is different than the other algorithms but I'd say that line of reasoning is a slippery slope. Messages 2.1.2.1., for example, says that the ID Token must be signed thereby providing non-repudiation, "ID Tokens MUST be signed using JWS [JWS] and OPTIONALLY both signed and then encrypted using JWS [JWS] and JWE [JWE] respectively, thereby providing authentication, integrity, non-repudiation, and optionally, confidentiality, per Section 9.13." But the HMAC algorithms aren't signature algorithms either and certainly don't provide non-repudiation. So they shouldn't be acceptable algorithms either, right? <br>
<br>I realize it's probably futile to argue but what I'm saying is that it is a reasonable thing to use "none" when the token is sent only via the TLS protected back-channel. And given that I'm "one such developer," I've now got publicly released software that does allow "none" in that situation where it does make sense. <br>
<br></div><div><br><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US"><div>
<p class=""><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"><u></u> <u></u></span></p>
<div>
<div style="border-width:1pt medium medium;border-style:solid none none;border-color:rgb(181,196,223) -moz-use-text-color -moz-use-text-color;padding:3pt 0in 0in">
<p class=""><b><span style="font-size:10pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10pt;font-family:"Tahoma","sans-serif""> Brian Campbell [mailto:<a href="mailto:issues-reply@bitbucket.org" target="_blank">issues-reply@bitbucket.org</a>]
<br>
<b>Sent:</b> Tuesday, June 25, 2013 7:58 AM<br>
<b>To:</b> Mike Jones<br>
<b>Subject:</b> Re: [Bitbucket] Issue #851: Messages 2.1.2.1 - Clarify that "none" is not an acceptable signature algorithm (openid/connect)<u></u><u></u></span></p>
</div>
</div>
<p class=""><u></u> <u></u></p>
<table style="width:100%;border-collapse:collapse" border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody>
<tr>
<td style="background:none repeat scroll 0% 0% whitesmoke;padding:7.5pt 7.5pt 0in">
<table style="width:100%;border-collapse:collapse" border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody>
<tr>
<td style="padding:0in">
<div style="border:1pt solid rgb(204,204,204);padding:15pt;border-radius:5px 5px 5px 5px">
<table style="width:100%;border-collapse:collapse" border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody>
<tr>
<td style="padding:0in">
<table style="width:100%;border-collapse:collapse" border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody>
<tr>
<td style="width:24pt;padding:0in" valign="top" width="40">
<p class=""><span style="font-size:10.5pt;font-family:"Arial","sans-serif""><img src="https://secure.gravatar.com/avatar/367fabfeed0cee640ce963c0f84f2da5?d=https%3A%2F%2Fd3oaxc4q5k2d6q.cloudfront.net%2Fm%2Fa649696e8dec%2Fimg%2Fdefault_avatar%2F32%2Fuser_blue.png&s=32" alt="b_d_c" height="32" width="32"><u></u><u></u></span></p>
</td>
<td style="padding:0in 0in 0in 7.5pt">
<table style="width:100%;border-collapse:collapse" border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody>
<tr>
<td colspan="2" style="padding:0in">
<p class=""><b><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">Brian Campbell</span></b><span style="font-size:10.5pt;font-family:"Arial","sans-serif""> commented on issue #851:
<u></u><u></u></span></p>
</td>
</tr>
<tr>
<td colspan="2" style="padding:3.75pt 0in 0in">
<p class=""><b><span style="font-size:10.5pt;font-family:"Arial","sans-serif""><a href="https://bitbucket.org/openid/connect/issue/851/messages-2121-clarify-that-none-is-not-an" target="_blank"><span style="color:rgb(59,115,175);text-decoration:none">Messages 2.1.2.1 - Clarify
that "none" is not an acceptable signature algorithm</span></a> <u></u><u></u></span></b></p>
</td>
</tr>
<tr>
<td colspan="2" style="padding:7.5pt 0in 11.25pt">
<p style="margin:0in 0in 0.0001pt"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">I disagree.
<u></u><u></u></span></p>
<p style="margin-right:0in;margin-left:0in;margin-bottom:0.0001pt">
<span style="font-size:10.5pt;font-family:"Arial","sans-serif"">How would that be a breaking change? If a client is currently configured/registered for RS/EC/HS signature, how would allowing none as a different option be a breaking change?
<u></u><u></u></span></p>
<p style="margin-right:0in;margin-left:0in;margin-bottom:0.0001pt">
<span style="font-size:10.5pt;font-family:"Arial","sans-serif"">Our implementation currently does allow none as an option (it will only send such an ID Token via the back-channel). Which is, I'll argue, a perfectly reasonable interpretation of what's been written.
So explicitly disallowing it is a breaking for us. <u></u><u></u></span></p>
</td>
</tr>
<tr>
<td style="padding:7.5pt 0in 0in"></td>
<td style="padding:7.5pt 0in 0in"></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td style="border-width:1pt medium medium;border-style:solid none none;border-color:rgb(204,204,204) -moz-use-text-color -moz-use-text-color;padding:7.5pt 0in 0in">
<p class=""><span style="font-size:10.5pt;font-family:"Arial","sans-serif""><a href="https://bitbucket.org/openid/connect/issue/851/messages-2121-clarify-that-none-is-not-an" target="_blank"><span style="color:rgb(59,115,175);text-decoration:none">View this issue</span></a>
or add a comment by replying to this email. <u></u><u></u></span></p>
</td>
</tr>
</tbody>
</table>
</div>
</td>
</tr>
<tr>
<td style="padding:15pt 0in">
<table style="width:100%;border-collapse:collapse" border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody>
<tr>
<td style="padding:0in">
<p class=""><a href="https://bitbucket.org/openid/connect/issue/851/unwatch/mbj/f843d56eb7066d599d3972aaab0b00d200d1d4b4/" target="_blank"><span style="color:rgb(59,115,175);text-decoration:none">Unwatch this issue</span></a> to stop receiving email updates.
<u></u><u></u></p>
</td>
<td style="padding:0in"></td>
<td style="width:75pt;padding:0in" width="125">
<p class="" style="text-align:right" align="right"><a href="https://bitbucket.org" target="_blank"><span style="color:rgb(59,115,175);text-decoration:none"><img src="https://d3oaxc4q5k2d6q.cloudfront.net/m/a649696e8dec/img/email/logo.gif" alt="Bitbucket" border="0" height="18" width="100"></span></a><u></u><u></u></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<p class=""><u></u> <u></u></p>
</div>
</div>
</blockquote></div><br></div></div>