<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>+1<br>
</p>
<br>
<div class="moz-cite-prefix">On 3/16/2017 7:58 AM, Axel Nennker via
Openid-specs-ab wrote:<br>
</div>
<blockquote
cite="mid:ef69fa0ceaef4d39895037004578347f@HE101654.emea1.cds.t-internal.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">Nonce in the logout JWT is
prohibited
</span>to make a Logout Token syntactically invalid compared
to an id_token.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Wouldn’t
it be more secure to use another signing key than the id_token
signing key?<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Prohibiting
nonce is a hack.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Kind
regards<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Axel<span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><o:p> </o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">The following Claim MUST NOT
be used within the Logout Token:
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">nonce<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:72.0pt"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">PROHIBITED. A
</span><span style="font-size:10.0pt;font-family:"Courier
New"">nonce</span><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""> Claim MUST NOT be present.
Its use is prohibited to make a Logout Token syntactically
invalid if used in a forged Authentication Response in place
of an ID Token. <o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">Logout Tokens MAY contain
other Claims. Any Claims used that are not understood MUST
be ignored.
<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">A Logout Token MUST be signed
and MAY also be encrypted. The same keys are used to sign
and encrypt Logout Tokens as are used for ID Tokens. NOTE:
The Logout Token is compatible with <a
moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-backchannel-1_0.html#I-D.ietf-secevent-token">Security
Event Token (SET)</a> [I‑D.ietf‑secevent‑token] draft -00.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
Nennker, Axel
<br>
<b>Sent:</b> Thursday, March 16, 2017 12:49 PM<br>
<b>To:</b> Mike Jones (<a class="moz-txt-link-abbreviated" href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>);
John Bradley (<a class="moz-txt-link-abbreviated" href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>)<br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> backchannel logout: events<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Regarding
<a class="moz-txt-link-freetext" href="https://openid.net/specs/openid-connect-backchannel-1_0.html">https://openid.net/specs/openid-connect-backchannel-1_0.html</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I am wondering what the reason behind
events is:<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">events<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">REQUIRED. Claim whose value
is a JSON object containing the member name
</span><span style="font-size:10.0pt;font-family:"Courier
New""><a class="moz-txt-link-freetext" href="http://schemas.openid.net/event/backchannel-logout">http://schemas.openid.net/event/backchannel-logout</a></span><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">. This declares that the JWT
is a Logout Token. The corresponding member value MUST be a
JSON object and SHOULD be the empty JSON object </span><span
style="font-size:10.0pt;font-family:"Courier New"">{}</span><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">.
<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none">The reason, I
think, to have “events” is to make the logout JWT compatible
to SET:
<a class="moz-txt-link-freetext" href="https://tools.ietf.org/html/draft-ietf-secevent-token-01">https://tools.ietf.org/html/draft-ietf-secevent-token-01</a><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">But SET states:
“Security Events are not commands issued between parties”<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">While
openid-connect-backchannel-1_0.html JWT is a command.<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none">If we want SET
compatibility wouldn’t it make more sense to have a SET
compatible response to the logout command?<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none">Why is SET
compatibility important? Is it important enough to justify
this really strange type specifier?<o:p></o:p></p>
<pre>"events": {<o:p></o:p></pre>
<pre> <a class="moz-txt-link-rfc2396E" href="http://schemas.openid.net/event/backchannel-logout">"http://schemas.openid.net/event/backchannel-logout"</a>: {}<o:p></o:p></pre>
<pre> }<o:p></o:p></pre>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none">Kind regards<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">Axel<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#999999"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#999999"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#999999"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#999999"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;font-family:"Arial","sans-serif";text-transform:uppercase"
lang="DE">Deutsche Telekom AG<o:p></o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:8.0pt;font-family:"Arial","sans-serif""
lang="DE">T-Labs (Research & Innovation)<br>
Dipl.-Inform. Axel Nennker<br>
Winterfeldtstr. 21, 10781 Berlin<br>
</span><span
style="font-size:8.0pt;font-family:"Arial","sans-serif""
lang="FR">+491702275312 (Mobile)<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:8.0pt;font-family:"Arial","sans-serif""
lang="FR">E-Mail: <a class="moz-txt-link-abbreviated" href="mailto:axel.nennker@telekom.de">axel.nennker@telekom.de</a></span><span
lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="DE"><o:p> </o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</body>
</html>