<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <font face="Helvetica, Arial, sans-serif">So here is another
      possible situation...<br>
      <br>
      App 1 registers with sector_identifier_url
      <a class="moz-txt-link-freetext" href="https://example.com/common_aps">https://example.com/common_aps</a> and that URL contains a single
      redirect_uri for app 1 (app1://my_app). Then App 2 comes along and
      registers the same sector_identifier_uri and because the company
      decided to sunset App 1 removes it from the JSON array and adds in
      app2://my_app.<br>
      <br>
      Should the OP no longer assign pair-wise psuedonymous identifers
      based on the sector_identifier_uri for App 1 (probably still some
      people out there using it)? Or is the guidance to determine if the
      registering app's redirect_uris are present in the
      sector_identifier_uri file and if so, permanently assign that
      sector_identifier_uri to the client_id and it can't be changed.
      Though that might be difficult if via the registration spec I can
      update parts of my registration config.<br>
      <br>
      Maybe some guidance around the impacts of changing a
      sector_identifier_uri on users would be worth whille?<br>
      <br>
      Thanks,<br>
      George<br>
      <br>
    </font>
    <div class="moz-cite-prefix">On 10/31/13 10:16 AM, Justin Richer
      wrote:<br>
    </div>
    <blockquote cite="mid:52726641.4060204@mitre.org" type="cite">
      <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
      How about language that says the sector identifier would be pulled
      down at registration and heavily cached.<br>
      <br>
       -- Justin<br>
      <br>
      <br>
      <div class="moz-cite-prefix">On 10/29/2013 08:59 PM, Mike Jones
        wrote:<br>
      </div>
      <blockquote
cite="mid:4E1F6AAD24975D4BA5B168042967394377E2CFFA@TK5EX14MBXC288.redmond.corp.microsoft.com"
        type="cite">
        <meta http-equiv="Content-Type" content="text/html;
          charset=UTF-8">
        <meta name="Generator" content="Microsoft Word 14 (filtered
          medium)">
        <style><!--
/* Font Definitions */
@font-face
        {font-family:Helvetica;
        panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
        {font-family:Helvetica;
        panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
        <div class="WordSection1">
          <p class="MsoNormal">In his review of Registration, George
            wrote the following about <a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-registration-1_0-20.html#SectorIdentifierValidation">http://openid.net/specs/openid-connect-registration-1_0-20.html#SectorIdentifierValidation</a>:<o:p></o:p></p>
          <p class="MsoNormal"
            style="margin-left:.5in;text-autospace:none"><span
              style="font-family:"Helvetica","sans-serif"">It

              seems like there is some pretty complicated OP logic
              required to process the sector_identifier_uri.<o:p></o:p></span></p>
          <p class="MsoNormal"
            style="margin-left:.5in;text-autospace:none"><span
              style="font-family:"Helvetica","sans-serif"">Given

              that the the list of allowed redirect_uris in the JSON
              file can change at any time! the OP would<o:p></o:p></span></p>
          <p class="MsoNormal"
            style="margin-left:.5in;text-autospace:none"><span
              style="font-family:"Helvetica","sans-serif"">need

              to pull the file and verify that the current client
              redirect_uri is still present in the list. That is too
              much<o:p></o:p></span></p>
          <p class="MsoNormal"
            style="margin-left:.5in;text-autospace:none"><span
              style="font-family:"Helvetica","sans-serif"">over

              head to do at token issuance. Should we have some guidance
              that redirect_uris can be added to the<o:p></o:p></span></p>
          <p class="MsoNormal"
            style="margin-left:.5in;text-autospace:none"><span
              style="font-family:"Helvetica","sans-serif"">sector_identifier_uri

              file but SHOULD NOT be removed. Removing a redirect_uri
              from the file results in<o:p></o:p></span></p>
          <p class="MsoNormal"
            style="margin-left:.5in;text-autospace:none"><span
              style="font-family:"Helvetica","sans-serif"">undefined

              behavior? With this guidance the OP can do all the
              necessary checking at client registration<o:p></o:p></span></p>
          <p class="MsoNormal" style="margin-left:.5in"><span
              style="font-family:"Helvetica","sans-serif"">time

              which seems reasonable.</span><span
              style="font-size:12.0pt"><o:p></o:p></span></p>
          <p class="MsoNormal"><o:p> </o:p></p>
          <p class="MsoNormal">It’s always been my assumption that the
            sector_identifier_uri is validated once at registration time
            and never fetched again.  If people agree, I think we should
            say that.<o:p></o:p></p>
          <p class="MsoNormal"><o:p> </o:p></p>
          <p class="MsoNormal">                                                               

            -- Mike<o:p></o:p></p>
          <p class="MsoNormal"><o:p> </o:p></p>
        </div>
        <br>
        <fieldset class="mimeAttachmentHeader"></fieldset>
        <br>
        <pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
      </blockquote>
      <br>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
    </blockquote>
    <br>
    <div class="moz-signature">-- <br>
      <a href="http://connect.me/gffletch" title="View full card on
        Connect.Me"><img src="cid:part4.02060506.09070006@aol.com"
          alt="George Fletcher" height="113" width="359"></a></div>
  </body>
</html>