<html>

  <head>

    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <font face="Helvetica, Arial, sans-serif">So here is another

      possible situation...<br>

      <br>

      App 1 registers with sector_identifier_url

      <a class="moz-txt-link-freetext" href="https://example.com/common_aps">https://example.com/common_aps</a> and that URL contains a single

      redirect_uri for app 1 (app1://my_app). Then App 2 comes along and

      registers the same sector_identifier_uri and because the company

      decided to sunset App 1 removes it from the JSON array and adds in

      app2://my_app.<br>

      <br>

      Should the OP no longer assign pair-wise psuedonymous identifers

      based on the sector_identifier_uri for App 1 (probably still some

      people out there using it)? Or is the guidance to determine if the

      registering app's redirect_uris are present in the

      sector_identifier_uri file and if so, permanently assign that

      sector_identifier_uri to the client_id and it can't be changed.

      Though that might be difficult if via the registration spec I can

      update parts of my registration config.<br>

      <br>

      Maybe some guidance around the impacts of changing a

      sector_identifier_uri on users would be worth whille?<br>

      <br>

      Thanks,<br>

      George<br>

      <br>

    </font>

    <div class="moz-cite-prefix">On 10/31/13 10:16 AM, Justin Richer

      wrote:<br>

    </div>

    <blockquote cite="mid:52726641.4060204@mitre.org" type="cite">

      <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">

      How about language that says the sector identifier would be pulled

      down at registration and heavily cached.<br>

      <br>

       -- Justin<br>

      <br>

      <br>

      <div class="moz-cite-prefix">On 10/29/2013 08:59 PM, Mike Jones

        wrote:<br>

      </div>

      <blockquote

cite="mid:4E1F6AAD24975D4BA5B168042967394377E2CFFA@TK5EX14MBXC288.redmond.corp.microsoft.com"

        type="cite">

        <meta http-equiv="Content-Type" content="text/html;

          charset=UTF-8">

        <meta name="Generator" content="Microsoft Word 14 (filtered

          medium)">

        <style><!--

/* Font Definitions */

@font-face

        {font-family:Helvetica;

        panose-1:2 11 6 4 2 2 2 2 2 4;}

@font-face

        {font-family:Helvetica;

        panose-1:2 11 6 4 2 2 2 2 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:11.0pt;

        font-family:"Calibri","sans-serif";}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {mso-style-priority:99;

        color:purple;

        text-decoration:underline;}

span.EmailStyle17

        {mso-style-type:personal-compose;

        font-family:"Calibri","sans-serif";

        color:windowtext;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-family:"Calibri","sans-serif";}

@page WordSection1

        {size:8.5in 11.0in;

        margin:1.0in 1.0in 1.0in 1.0in;}

div.WordSection1

        {page:WordSection1;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

        <div class="WordSection1">

          <p class="MsoNormal">In his review of Registration, George

            wrote the following about <a moz-do-not-send="true"

href="http://openid.net/specs/openid-connect-registration-1_0-20.html#SectorIdentifierValidation">http://openid.net/specs/openid-connect-registration-1_0-20.html#SectorIdentifierValidation</a>:<o:p></o:p></p>

          <p class="MsoNormal"

            style="margin-left:.5in;text-autospace:none"><span

              style="font-family:"Helvetica","sans-serif"">It

              seems like there is some pretty complicated OP logic

              required to process the sector_identifier_uri.<o:p></o:p></span></p>

          <p class="MsoNormal"

            style="margin-left:.5in;text-autospace:none"><span

              style="font-family:"Helvetica","sans-serif"">Given

              that the the list of allowed redirect_uris in the JSON

              file can change at any time! the OP would<o:p></o:p></span></p>

          <p class="MsoNormal"

            style="margin-left:.5in;text-autospace:none"><span

              style="font-family:"Helvetica","sans-serif"">need

              to pull the file and verify that the current client

              redirect_uri is still present in the list. That is too

              much<o:p></o:p></span></p>

          <p class="MsoNormal"

            style="margin-left:.5in;text-autospace:none"><span

              style="font-family:"Helvetica","sans-serif"">over

              head to do at token issuance. Should we have some guidance

              that redirect_uris can be added to the<o:p></o:p></span></p>

          <p class="MsoNormal"

            style="margin-left:.5in;text-autospace:none"><span

              style="font-family:"Helvetica","sans-serif"">sector_identifier_uri

              file but SHOULD NOT be removed. Removing a redirect_uri

              from the file results in<o:p></o:p></span></p>

          <p class="MsoNormal"

            style="margin-left:.5in;text-autospace:none"><span

              style="font-family:"Helvetica","sans-serif"">undefined

              behavior? With this guidance the OP can do all the

              necessary checking at client registration<o:p></o:p></span></p>

          <p class="MsoNormal" style="margin-left:.5in"><span

              style="font-family:"Helvetica","sans-serif"">time

              which seems reasonable.</span><span

              style="font-size:12.0pt"><o:p></o:p></span></p>

          <p class="MsoNormal"><o:p> </o:p></p>

          <p class="MsoNormal">It’s always been my assumption that the

            sector_identifier_uri is validated once at registration time

            and never fetched again.  If people agree, I think we should

            say that.<o:p></o:p></p>

          <p class="MsoNormal"><o:p> </o:p></p>

          <p class="MsoNormal">                                                               

            -- Mike<o:p></o:p></p>

          <p class="MsoNormal"><o:p> </o:p></p>

        </div>

        <br>

        <fieldset class="mimeAttachmentHeader"></fieldset>

        <br>

        <pre wrap="">_______________________________________________

Openid-specs-ab mailing list

<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>

<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>

</pre>

      </blockquote>

      <br>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">_______________________________________________

Openid-specs-ab mailing list

<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>

<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>

</pre>

    </blockquote>

    <br>

    <div class="moz-signature">-- <br>

      <a href="http://connect.me/gffletch" title="View full card on

        Connect.Me"><img src="cid:part4.02060506.09070006@aol.com"

          alt="George Fletcher" height="113" width="359"></a></div>

  </body>

</html>