<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">As you have quoted in the original
mail, it is saying in section 5.1 <br>
<br>
<span style="color: rgb(0, 0, 0); font-family: verdana, charcoal,
helvetica, arial, sans-serif; font-size: small; font-style:
normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: normal; orphans: auto;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255); display: inline !important; float: none;">The Request
Object MAY be signed or unsigned (plaintext). When it is
plaintext, this is indicated by use of the<span
class="Apple-converted-space"> </span></span><tt style="color:
rgb(0, 51, 102); font-family: 'Courier New', Courier, monospace;
font-size: small; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; line-height:
normal; orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">none</tt><span
style="color: rgb(0, 0, 0); font-family: verdana, charcoal,
helvetica, arial, sans-serif; font-size: small; font-style:
normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: normal; orphans: auto;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255); display: inline !important; float: none;"><span
class="Apple-converted-space"> </span>algorithm<span
class="Apple-converted-space"> </span></span><a class="info"
href="http://openid.bitbucket.org/openid-connect-core-1_0.html#JWA"
style="font-weight: bold; position: relative; z-index: 24;
text-decoration: none; color: rgb(102, 51, 51);
background-color: rgb(255, 255, 255); font-family: verdana,
charcoal, helvetica, arial, sans-serif; font-size: small;
font-style: normal; font-variant: normal; letter-spacing:
normal; line-height: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-stroke-width:
0px;">[JWA]</a><span style="color: rgb(0, 0, 0); font-family:
verdana, charcoal, helvetica, arial, sans-serif; font-size:
small; font-style: normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255); display: inline !important; float: none;"><span
class="Apple-converted-space"> </span>in the JWS header. If
signed, the Request Object <font color="#ff0000">SHOULD </font>contain
the Claims<span class="Apple-converted-space"> </span></span><tt
style="color: rgb(0, 51, 102); font-family: 'Courier New',
Courier, monospace; font-size: small; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">iss</tt><span
style="color: rgb(0, 0, 0); font-family: verdana, charcoal,
helvetica, arial, sans-serif; font-size: small; font-style:
normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: normal; orphans: auto;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255); display: inline !important; float: none;"><span
class="Apple-converted-space"> </span>(issuer) and<span
class="Apple-converted-space"> </span></span><tt style="color:
rgb(0, 51, 102); font-family: 'Courier New', Courier, monospace;
font-size: small; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; line-height:
normal; orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">aud</tt><span
style="color: rgb(0, 0, 0); font-family: verdana, charcoal,
helvetica, arial, sans-serif; font-size: small; font-style:
normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: normal; orphans: auto;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255); display: inline !important; float: none;"><span
class="Apple-converted-space"> </span>(audience) as members,
with their semantics being as defined in the<span
class="Apple-converted-space"> </span></span><a class="info"
href="http://openid.bitbucket.org/openid-connect-core-1_0.html#JWT"
style="font-weight: bold; position: relative; z-index: 24;
text-decoration: none; color: rgb(102, 51, 51);
background-color: rgb(255, 255, 255); font-family: verdana,
charcoal, helvetica, arial, sans-serif; font-size: small;
font-style: normal; font-variant: normal; letter-spacing:
normal; line-height: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-stroke-width:
0px;">JWT</a><span style="color: rgb(0, 0, 0); font-family:
verdana, charcoal, helvetica, arial, sans-serif; font-size:
small; font-style: normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255); display: inline !important; float: none;"><span
class="Apple-converted-space"> </span>[JWT] specification.</span><br>
<br>
The SHOULD I stated is the one in the above sentence. <br>
<br>
JWT further defines the semantics of the iss and aud as: <br>
<br>
<pre class="newpage" style="font-size: 1em; margin-top: 0px; margin-bottom: 0px; page-break-before: always; color: rgb(0, 0, 0); font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><span class="h4" style="line-height: 0pt; display: inline; white-space: pre; font-family: monospace; font-size: 1em; font-weight: bold;"><h4 style="line-height: 0pt; display: inline; white-space: pre; font-family: monospace; font-size: 1em; font-weight: bold;"><a class="selflink" name="section-4.1.1" href="http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-13#section-4.1.1" style="color: black; text-decoration: none;">4.1.1</a>. "iss" (Issuer) Claim</h4></span>
The "iss" (issuer) claim identifies the principal that issued the
JWT. The processing of this claim is generally application specific.
The "iss" value is a case-sensitive string containing a StringOrURI
value. Use of this claim is OPTIONAL.</pre>
<br>
<pre class="newpage" style="font-size: 1em; margin-top: 0px; margin-bottom: 0px; page-break-before: always; color: rgb(0, 0, 0); font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><span class="h4" style="line-height: 0pt; display: inline; white-space: pre; font-family: monospace; font-size: 1em; font-weight: bold;"><h4 style="line-height: 0pt; display: inline; white-space: pre; font-family: monospace; font-size: 1em; font-weight: bold;"><a class="selflink" name="section-4.1.3" href="http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-13#section-4.1.3" style="color: black; text-decoration: none;">4.1.3</a>. "aud" (Audience) Claim</h4></span>
The "aud" (audience) claim identifies the audiences that the JWT is
intended for. Each principal intended to process the JWT MUST
identify itself with a value in audience claim. If the principal
processing the claim does not identify itself with a value in the
"aud" claim, then the JWT MUST be rejected. In the general case, the
"aud" value is an array of case-sensitive strings, each containing a
StringOrURI value. In the special case when the JWT has one
audience, the "aud" value MAY be a single case-sensitive string
containing a StringOrURI value. The interpretation of audience
values is generally application specific. Use of this claim is
OPTIONAL.</pre>
<br>
They are accurate. <br>
<br>
In OIDC context, the <font face="Courier New, Courier, monospace"
color="#33cc00">iss </font>of the request object is the one who
signed it. <br>
It could be the client as well as a third party. I consider that
even SHOULD is too strong if you want to indicate that the value
would be the client id. At best, it would be a NOTE. <br>
<br>
For <font face="Courier New, Courier, monospace" color="#33cc00">aud</font>,
with the quolifier "if present", I would be OK to state that the
value SHOULD be the issuer identifier of the OP. <br>
<br>
Nat<br>
<br>
(2013/11/28 9:47), Mike Jones wrote:<br>
</div>
<blockquote
cite="mid:4E1F6AAD24975D4BA5B16804296739437CCF9C49@TK5EX14MBXC287.redmond.corp.microsoft.com"
type="cite">
<meta http-equiv="Context-Type" content="text/html;
charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<div class="WordSection1">
<p class="MsoNormal"><span>Formerly, the spec said nothing about
what these values were. I can live with making the “MUST”s
“SHOULD”s, to accommodate the trust framework case you
described. But I do think we need to say what the normal
values are.</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>
-- Mike</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><b><span>From:</span></b><span>
<a class="moz-txt-link-abbreviated" href="mailto:sakimura@gmail.com">sakimura@gmail.com</a> [<a class="moz-txt-link-freetext" href="mailto:sakimura@gmail.com">mailto:sakimura@gmail.com</a>]
<b>On Behalf Of </b>Nat Sakimura<br>
<b>Sent:</b> Wednesday, November 27, 2013 3:48 PM<br>
<b>To:</b> Mike Jones<br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-ab] Signed request object
issuer and audience</span></p>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">I oppose to the change to MUST. </p>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">I can easily think of a scenario such
that a trust framework operator (TFO) signs the request
object and the relying parties who are the member of the
trust framework uses it. In this case, the iss will be the
TFO, and aud would not be there, as the IdPs are
undetermined at the time of signing. The client_id will be
Client ID then. That's why it was a SHOULD. It was a
deliberate decision. We should let the deployment profiles
define these and not to be too prescriptive. </p>
</div>
</div>
<div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">2013/11/28 Mike Jones <<a
moz-do-not-send="true"
href="mailto:Michael.Jones@microsoft.com"
target="_blank">Michael.Jones@microsoft.com</a>></p>
<div>
<div>
<p class="MsoNormal">Core currently says:</p>
<p class="MsoNormal">
<span lang="EN">If signed, the Request Object SHOULD
contain the Claims
</span><tt><span lang="EN">iss</span></tt><span
lang="EN"> (issuer) and
</span><tt><span lang="EN">aud</span></tt><span
lang="EN"> (audience) as members, with their
semantics being as defined in the JWT [JWT]
specification.</span></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">In response to Justin’s review
comment that the “iss” and “aud” values should be
specified, I started to write this:</p>
<p class="MsoNormal">
<span lang="EN">The </span><tt><span lang="EN">iss</span></tt><span
lang="EN"> value MUST be the Client ID of the RP.</span></p>
<p class="MsoNormal">
<span lang="EN">The </span><tt><span lang="EN">aud</span></tt><span
lang="EN"> value MUST be or include the OP's Issuer
Identifier URL.</span></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">However, I then realized that the
Client is already being communicated in the
“client_id” request parameter, so also having it in
the “iss” claim would be redundant.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I therefore propose that we
explicitly say that an “iss” claim is not needed,
since the Client ID identifies the request’s
originator, and require that the “client_id” parameter
be present in all Request Objects. I would still add
the sentence about the “aud” value.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Do people agree with this
approach? I agree with Justin that we do need to
specify what values to use.</p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>
-- Mike</span></p>
<p class="MsoNormal"><span> </span></p>
</div>
</div>
<p class="MsoNormal"><br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></p>
</div>
<p class="MsoNormal"> </p>
</div>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Nat Sakimura (<a class="moz-txt-link-abbreviated" href="mailto:n-sakimura@nri.co.jp">n-sakimura@nri.co.jp</a>)
Nomura Research Institute, Ltd.
<a class="moz-txt-link-freetext" href="Tel:+81-3-6274-1412">Tel:+81-3-6274-1412</a> Fax:+81-3-6274-1547
本メールに含まれる情報は機密情報であり、宛先に記載されている方のみに送信することを意図しております。意図された受取人以外の方によるこれらの情報の開示、複製、再配布や転送など一切の利用が禁止されています。誤って本メールを受信された場合は、申し訳ござӓ
6;|
14;せんが、送信者までお知らせいただき、受信されたメールを削除していただきますようお願い致します。
PLEASE READ:
The information contained in this e-mail is confidential and intended for the named recipient(s) only.
If you are not an intended recipient of this e-mail, you are hereby notified that any review, dissemination, distribution or duplication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately and delete your copy from your system.
</pre>
</body>
</html>