<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>I think it is attempting to refer to the assertion profile for the token endpoint. It is non normative and probably adds more to confusion. </div><div><br></div><div>Leaving it out is fine. <br><br>Sent from my iPhone</div><div><br>On Oct 11, 2013, at 12:21 AM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>> wrote:<br><br></div><blockquote type="cite"><div>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:24.0pt;
mso-margin-bottom-alt:auto;
margin-left:24.0pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><a href="http://openid.net/specs/openid-connect-core-1_0-12.html#sigenc">http://openid.net/specs/openid-connect-core-1_0-12.html#sigenc</a> says:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p><span lang="EN" style="font-family:"Verdana","sans-serif";color:black">Depending on the transport through which the messages are sent, the integrity of the message might not be guaranteed and the originator of the message might not be authenticated. To mitigate
these risks, Request Object, <span style="background:yellow;mso-highlight:yellow">
Token Request</span>, ID Token, and UserInfo Response values MAY utilize [JWS] to sign the contents.
<o:p></o:p></span></p>
<p><span lang="EN" style="font-family:"Verdana","sans-serif";color:black">To achieve message confidentiality, Request Object,
<span style="background:yellow;mso-highlight:yellow">Token Request</span>, ID Token, and UserInfo Response values MAY use [JWE] to encrypt the content.
<o:p></o:p></span></p>
<p class="MsoNormal">A Token Request, used other places in the spec, just refers to a request made to the Token Endpoint – which I know of no way to sign or encrypt. We do say how you can sign a JWT used with the private_key_jwt client authentication method,
but that’s about as close to a match as I could come up with.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Should I just delete these odd uses of Token Request, or does someone want to supply alternative wording that makes sense?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> Thanks,<o:p></o:p></p>
<p class="MsoNormal"> -- Mike<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Openid-specs-ab mailing list</span><br><span><a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a></span><br><span><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><br></div></blockquote></body></html>