<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Helvetica, Arial, sans-serif">Thanks for the
clarifications! What about combining what John and Mike said into
something like...<br>
<br>
ID Tokens containing a 'azp' value SHOULD be signed with an
asymmetric key. The verification steps for ID Tokens signed with a
MAC based algorithm containing either mulitple 'aud' values and/or
an 'azp' value are unspecified and out-of-scope for this document.<br>
<br>
Thanks,<br>
George<br>
<br>
</font>
<div class="moz-cite-prefix">On 10/28/13 2:33 PM, John Bradley
wrote:<br>
</div>
<blockquote
cite="mid:C3237203-5D70-462C-94DC-4621B081D332@ve7jtb.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
I think the point of signing is so that the audience can verify
it. In the case that the azp is different from the audience the
azp the token should be treated as opaque to the azp party.
<div>I appreciate that clients may do content sniffing as they do
in SAML in some cases.</div>
<div><br>
</div>
<div>In general it is best for the AS to use a asymmetric
signature all the time to get around these issues.</div>
<div><br>
</div>
<div>The simple rule for symmetric keys is you is the one shared
with the audience, the use of azp should not impact that. </div>
<div>If that is to confusing I am OK with saying tokens containing
azp MUST be signed with a asymmetric key and forget this corner
case.</div>
<div><br>
</div>
<div>I don't consider a token with azp one that necessarily has
multiple audiences. It is possible to have two or more
audiences where one is also the azp, that defiantly needs
asymmetric signing.</div>
<div><br>
</div>
<div>John B.</div>
<div><br>
</div>
<div>
<div>
<div>On Oct 25, 2013, at 6:04 PM, Mike Jones <<a
moz-do-not-send="true"
href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div link="blue" vlink="purple" style="font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: normal; orphans: auto; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" lang="EN-US">
<div class="WordSection1" style="page: WordSection1;">
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><span style="color:
rgb(31, 73, 125);">John, your reply didn’t answer
the question about which Client ID would be used if
the “aud” and “azp” values refer to different
parties. I could see arguments for either.<o:p></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><span style="color:
rgb(31, 73, 125);"> </span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><span style="color:
rgb(31, 73, 125);">Partly for that reason, I’m prone
to have us say that the behavior is unspecified if a
MAC algorithm is used and the “aud” is multi-valued
or if an “azp” value is present that is different
than the “aud” value.<o:p></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><span style="color:
rgb(31, 73, 125);"> </span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><span style="color:
rgb(31, 73, 125);">That would leave the door open to
specify it later, but avoids us making important
decisions about use cases we have no experience with
now.<o:p></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><span style="color:
rgb(31, 73, 125);"> </span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><span style="color:
rgb(31, 73, 125);">
-- Mike<o:p></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><span style="color:
rgb(31, 73, 125);"> </span></div>
<div>
<div style="border-style: solid none none;
border-top-color: rgb(181, 196, 223);
border-top-width: 1pt; padding: 3pt 0in 0in;">
<div style="margin: 0in 0in 0.0001pt; font-size:
11pt; font-family: Calibri, sans-serif;"><b><span
style="font-size: 10pt; font-family: Tahoma,
sans-serif;">From:</span></b><span
style="font-size: 10pt; font-family: Tahoma,
sans-serif;"><span class="Apple-converted-space"> </span>Torsten
Lodderstedt [<a moz-do-not-send="true"
href="mailto:torsten@lodderstedt.net">mailto:torsten@lodderstedt.net</a>]<span
class="Apple-converted-space"> </span><br>
<b>Sent:</b><span class="Apple-converted-space"> </span>Friday,
October 25, 2013 1:59 PM<br>
<b>To:</b><span class="Apple-converted-space"> </span>John
Bradley<br>
<b>Cc:</b><span class="Apple-converted-space"> </span>Mike
Jones; <a moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b><span
class="Apple-converted-space"> </span>Re:
[Openid-specs-ab] Questions about multiple
audiences for ID Tokens using MAC algorithms<o:p></o:p></span></div>
</div>
</div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><o:p> </o:p></div>
<div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><o:p> </o:p></div>
</div>
<div>
<p class="MsoNormal" style="margin: 0in 0in 12pt;
font-size: 11pt; font-family: Calibri, sans-serif;"><br>
Am 25.10.2013 um 21:40 schrieb John Bradley <<a
moz-do-not-send="true"
href="mailto:ve7jtb@ve7jtb.com" style="color:
purple; text-decoration: underline;">ve7jtb@ve7jtb.com</a>>:<o:p></o:p></p>
</div>
<blockquote style="margin-top: 5pt; margin-bottom: 5pt;">
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">A token with a
single audience that is different from the AZP is
fine to integrity protect with mac as long as there
the AZP is not expected to validate the token. <o:p></o:p></div>
</blockquote>
<div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><o:p> </o:p></div>
</div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">I think this is
only possible for id tokens issued via code grant
type, right?<o:p></o:p></div>
<div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><br>
<br>
<o:p></o:p></div>
<div>
<div>
<div style="margin: 0in 0in 0.0001pt; font-size:
11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div>
</div>
<div>
<div style="margin: 0in 0in 0.0001pt; font-size:
11pt; font-family: Calibri, sans-serif;">I
personally think symmetric key management argues
that it is not scalable. However we should not
preclude that use. <br>
<br>
Sent from my iPhone<o:p></o:p></div>
</div>
<div>
<p class="MsoNormal" style="margin: 0in 0in 12pt;
font-size: 11pt; font-family: Calibri,
sans-serif;"><br>
On Oct 24, 2013, at 10:32 PM, Torsten
Lodderstedt <<a moz-do-not-send="true"
href="mailto:torsten@lodderstedt.net"
style="color: purple; text-decoration:
underline;">torsten@lodderstedt.net</a>>
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top: 5pt; margin-bottom:
5pt;">
<p class="MsoNormal" style="margin: 0in 0in 12pt;
font-size: 11pt; font-family: Calibri,
sans-serif;"><span style="font-size: 12pt;
font-family: 'Times New Roman', serif;">Hi
all,<br>
<br>
MAC as symmetric alg only makes sense (from a
security perspective) for two parties. I
consider sharing a symmetric key among more
than two parties a bad design. So in my
opinion this restriction makes sense.<span
class="Apple-converted-space"> </span><br>
<br>
Wrt 5. Yes, we should tighten it.<br>
<br>
Regards,<br>
Torsten.<o:p></o:p></span></p>
<div>
<div style="margin: 0in 0in 0.0001pt; font-size:
11pt; font-family: Calibri, sans-serif;"><span
style="font-size: 12pt; font-family: 'Times
New Roman', serif;"><br>
<br>
Mike Jones <<a moz-do-not-send="true"
href="mailto:Michael.Jones@microsoft.com"
style="color: purple; text-decoration:
underline;">Michael.Jones@microsoft.com</a>>
schrieb:<o:p></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size:
11pt; font-family: Calibri, sans-serif;"><a
moz-do-not-send="true"
href="http://openid.bitbucket.org/openid-connect-core-1_0.html#IDTokenValidation"
style="color: purple; text-decoration:
underline;">http://openid.bitbucket.org/openid-connect-core-1_0.html#IDTokenValidation</a>contains
this text that George asked about in his
review:<o:p></o:p></div>
<div style="margin: 0in 0in 0.0001pt 0.5in;
font-size: 11pt; font-family: Calibri,
sans-serif;"><span style="font-size: 10pt;
font-family: Verdana, sans-serif;" lang="EN">7.
If the<span class="Apple-converted-space"> </span></span><tt
style="font-family: 'Courier New'; color:
rgb(0, 51, 102);"><span style="font-size:
10pt;" lang="EN">alg</span></tt><span
style="font-size: 10pt; font-family:
Verdana, sans-serif;" lang="EN"><span
class="Apple-converted-space"> </span>parameter
of the JWT header is a MAC based algorithm
such as<span class="Apple-converted-space"> </span></span><tt
style="font-family: 'Courier New'; color:
rgb(0, 51, 102);"><span style="font-size:
10pt;" lang="EN">HS256</span></tt><span
style="font-size: 10pt; font-family:
Verdana, sans-serif;" lang="EN">,<span
class="Apple-converted-space"> </span></span><tt
style="font-family: 'Courier New'; color:
rgb(0, 51, 102);"><span style="font-size:
10pt;" lang="EN">HS384</span></tt><span
style="font-size: 10pt; font-family:
Verdana, sans-serif;" lang="EN">, or<span
class="Apple-converted-space"> </span></span><tt
style="font-family: 'Courier New'; color:
rgb(0, 51, 102);"><span style="font-size:
10pt;" lang="EN">HS512</span></tt><span
style="font-size: 10pt; font-family:
Verdana, sans-serif;" lang="EN">, the octets
of the UTF-8 representation of the<span
class="Apple-converted-space"> </span></span><tt
style="font-family: 'Courier New'; color:
rgb(0, 51, 102);"><span style="font-size:
10pt;" lang="EN">client_secret</span></tt><span
style="font-size: 10pt; font-family:
Verdana, sans-serif;" lang="EN"><span
class="Apple-converted-space"> </span>corresponding
to the<span class="Apple-converted-space"> </span></span><tt
style="font-family: 'Courier New'; color:
rgb(0, 51, 102);"><span style="font-size:
10pt;" lang="EN">client_id</span></tt><span
style="font-size: 10pt; font-family:
Verdana, sans-serif;" lang="EN"><span
class="Apple-converted-space"> </span>contained
in the</span><tt style="font-family:
'Courier New'; color: rgb(0, 51, 102);"><span
style="font-size: 10pt;" lang="EN">aud</span></tt><span
style="font-size: 10pt; font-family:
Verdana, sans-serif;" lang="EN"><span
class="Apple-converted-space"> </span>(audience)
Claim are used as the key to validate the
signature.<span style="background-color:
yellow; background-position: initial
initial; background-repeat: initial
initial;">Multiple audiences are not
supported for MAC based algorithms.</span></span><o:p></o:p></div>
<p style="margin-right: 0in; margin-left: 0in;
font-size: 12pt; font-family: 'Times New
Roman', serif;"> <o:p></o:p></p>
<div style="margin: 0in 0in 0.0001pt; font-size:
11pt; font-family: Calibri, sans-serif;">George
wrote:<o:p></o:p></div>
<div style="margin: 0in 0in 0.0001pt 0.5in;
font-size: 11pt; font-family: Calibri,
sans-serif;">“Why not? Wouldn't the secret
associated with the azp work for the client to
validate the id_token? If we want
interoperability across the use of audience
and azp we are going to need to describe how
it works in an extension document. It is not
clear from this spec how it is to work and I
was on most of the calls:)”<o:p></o:p></div>
<p style="margin-right: 0in; margin-left: 0in;
font-size: 12pt; font-family: 'Times New
Roman', serif;"> <o:p></o:p></p>
<div style="margin: 0in 0in 0.0001pt; font-size:
11pt; font-family: Calibri, sans-serif;">These
questions arise:<o:p></o:p></div>
<div style="margin: 0in 0in 0.0001pt 0.5in;
font-size: 11pt; font-family: Calibri,
sans-serif; text-indent: -0.25in;"><span>1.<span
style="font-style: normal; font-variant:
normal; font-weight: normal; font-size:
7pt; line-height: normal; font-family:
'Times New Roman';"> <span
class="Apple-converted-space"> </span></span></span>Does
anyone remember the history behind the
highlighted sentence? I’m pretty sure that
this was written before we had an “azp” claim.<o:p></o:p></div>
<div style="margin: 0in 0in 0.0001pt 0.5in;
font-size: 11pt; font-family: Calibri,
sans-serif; text-indent: -0.25in;"><span>2.<span
style="font-style: normal; font-variant:
normal; font-weight: normal; font-size:
7pt; line-height: normal; font-family:
'Times New Roman';"> <span
class="Apple-converted-space"> </span></span></span>If
there’s an “azp” claim and an “aud” claim and
the values are different, which Client Secret
would be the right one to use as the key
value? (George seems to be suggesting that
it’s the one associated with the Client ID in
the “azp” value.)<o:p></o:p></div>
<div style="margin: 0in 0in 0.0001pt 0.5in;
font-size: 11pt; font-family: Calibri,
sans-serif; text-indent: -0.25in;"><span>3.<span
style="font-style: normal; font-variant:
normal; font-weight: normal; font-size:
7pt; line-height: normal; font-family:
'Times New Roman';"> <span
class="Apple-converted-space"> </span></span></span>If
we did want to relax the restriction
prohibiting multiple audiences, which value
would be used for the key? And would all the
parties that need to valid the ID Token
signature actually have access to this value?<o:p></o:p></div>
<div style="margin: 0in 0in 0.0001pt 0.5in;
font-size: 11pt; font-family: Calibri,
sans-serif; text-indent: -0.25in;"><span>4.<span
style="font-style: normal; font-variant:
normal; font-weight: normal; font-size:
7pt; line-height: normal; font-family:
'Times New Roman';"> <span
class="Apple-converted-space"> </span></span></span>Or
should we leave the text above as-is for now,
and deal with this case as an extension later,
if a need for it ever comes up?<o:p></o:p></div>
<div style="margin: 0in 0in 0.0001pt 0.5in;
font-size: 11pt; font-family: Calibri,
sans-serif; text-indent: -0.25in;"><span>5.<span
style="font-style: normal; font-variant:
normal; font-weight: normal; font-size:
7pt; line-height: normal; font-family:
'Times New Roman';"> <span
class="Apple-converted-space"> </span></span></span>If
we’re not defining how multi-valued audiences
would work with MAC signatures for now, should
we also tighten this be requiring that any
“azp” value that is include have the same
value as the single-valued audience value?<o:p></o:p></div>
<p style="margin-right: 0in; margin-left: 0in;
font-size: 12pt; font-family: 'Times New
Roman', serif;"> <o:p></o:p></p>
<div style="margin: 0in 0in 0.0001pt; font-size:
11pt; font-family: Calibri, sans-serif;">
-- Mike<o:p></o:p></div>
<p style="margin-right: 0in; margin-left: 0in;
font-size: 12pt; font-family: 'Times New
Roman', serif;"> <o:p></o:p></p>
<pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New'; text-align: center;"><hr size="2" width="100%" align="center"></pre>
<pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New';">
Openid-specs-ab mailing list
<a moz-do-not-send="true" href="mailto:Openid-specs-ab@lists.openid.net" style="color: purple; text-decoration: underline;">Openid-specs-ab@lists.openid.net</a>
<a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" style="color: purple; text-decoration: underline;">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></pre>
</div>
</blockquote>
<blockquote style="margin-top: 5pt; margin-bottom:
5pt;">
<div style="margin: 0in 0in 0.0001pt; font-size:
11pt; font-family: Calibri, sans-serif;"><span
style="font-size: 12pt; font-family: 'Times
New Roman', serif;">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net"
style="color: purple; text-decoration:
underline;">Openid-specs-ab@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
style="color: purple; text-decoration:
underline;">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span></div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<a href="http://connect.me/gffletch" title="View full card on
Connect.Me"><img src="cid:part12.08070007.02000203@aol.com"
alt="George Fletcher" height="113" width="359"></a></div>
</body>
</html>