<div dir="ltr">So, Axel, what do you think about "<span style="color:rgb(33,33,33)"><span class="inbox-inbox-Apple-converted-space"> </span>use the URI that the client publishes for its backchannel endpoint as the audience rather than the client ID."?</span></div><br><div class="gmail_quote"><div dir="ltr">On Wed, Mar 22, 2017 at 4:21 AM Axel Nennker via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div lang="EN-US" link="blue" vlink="purple" class="gmail_msg">

<div class="m_-2184436487686113870WordSection1 gmail_msg">

<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="gmail_msg">If the issuer has a id_token_signing_key and a logout_command_signing_key then the receiver knows that the JWS is not a valid signed logout_command-JSON, right?<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="gmail_msg">If somebody tries to push an id_token into the logout endpoint then it would not validate because the wrong key is used.<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></span></p>

<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="gmail_msg">I am not saying that different signing keys are the best solution but the proposed “solution” is hacky.<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></span></p>

<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="gmail_msg">//Axel<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></span></p>

<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></span></p>

<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></span></p>

<div class="gmail_msg">

<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm" class="gmail_msg">

<p class="MsoNormal gmail_msg"><b class="gmail_msg"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class="gmail_msg">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class="gmail_msg"> John Bradley [mailto:<a href="mailto:ve7jtb@ve7jtb.com" class="gmail_msg" target="_blank">ve7jtb@ve7jtb.com</a>]

<br class="gmail_msg">

<b class="gmail_msg">Sent:</b> Friday, March 17, 2017 4:55 PM<br class="gmail_msg">

<b class="gmail_msg">To:</b> Justin Richer<br class="gmail_msg">

<b class="gmail_msg">Cc:</b> Nennker, Axel; Michael Jones; <a href="mailto:openid-specs-ab@lists.openid.net" class="gmail_msg" target="_blank">openid-specs-ab@lists.openid.net</a><br class="gmail_msg">

<b class="gmail_msg">Subject:</b> Re: [Openid-specs-ab] backchannel logout: nonce and key<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

</div></div></div><div lang="EN-US" link="blue" vlink="purple" class="gmail_msg"><div class="m_-2184436487686113870WordSection1 gmail_msg">

<p class="MsoNormal gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></p>

<p class="MsoNormal gmail_msg">A diffrent signing key won’t help unless the issuer is different.   <u class="gmail_msg"></u><u class="gmail_msg"></u></p>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg">It is a double edged thing you want the issuer to be the same to know the logout source is the same as the login, however you don’t want the issuer to be the same to prevent the token from being mistaken as a id_token for login.<u class="gmail_msg"></u><u class="gmail_msg"></u></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg">Logically it would be better to have a different logout audience for the client and change that.<u class="gmail_msg"></u><u class="gmail_msg"></u></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg">One option would be to use the URI that the client publishes for its backchannel endpoint as the audience rather then the client ID.<u class="gmail_msg"></u><u class="gmail_msg"></u></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg">I think William made a proposal along those lines.<u class="gmail_msg"></u><u class="gmail_msg"></u></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg">John B.<u class="gmail_msg"></u><u class="gmail_msg"></u></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></p>

</div>

<div class="gmail_msg">

<div class="gmail_msg">

<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt" class="gmail_msg">

<div class="gmail_msg">

<p class="MsoNormal gmail_msg">On Mar 16, 2017, at 11:16 AM, Justin Richer <<a href="mailto:jricher@MIT.EDU" class="gmail_msg" target="_blank">jricher@MIT.EDU</a>> wrote:<u class="gmail_msg"></u><u class="gmail_msg"></u></p>

</div>

<p class="MsoNormal gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></p>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white;font-variant-caps:normal;text-align:start;word-spacing:0px">

+1<u class="gmail_msg"></u><u class="gmail_msg"></u></p>

<p class="MsoNormal gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></p>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="gmail_msg">On 3/16/2017 7:58 AM, Axel Nennker via Openid-specs-ab wrote:<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt;font-variant-caps:normal;text-align:start;word-spacing:0px" class="gmail_msg">

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-family:"Calibri","sans-serif"" class="gmail_msg">Hi,</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"><u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-family:"Calibri","sans-serif"" class="gmail_msg">Nonce in the logout JWT is prohibited<span class="m_-2184436487686113870apple-converted-space gmail_msg"> </span></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg">to make

 a Logout Token syntactically invalid compared to an id_token.<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg">Wouldn’t it be more secure to use another signing key than the id_token signing key?<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg">Prohibiting nonce is a hack.<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg">Kind regards<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg">Axel<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-family:"Calibri","sans-serif"" class="gmail_msg"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"><u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-family:"Calibri","sans-serif"" class="gmail_msg">The following Claim MUST NOT be used within the Logout Token:</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"><u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-family:"Calibri","sans-serif"" class="gmail_msg">nonce</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"><u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div style="margin-left:72.0pt" class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-family:"Calibri","sans-serif"" class="gmail_msg">PROHIBITED. A<span class="m_-2184436487686113870apple-converted-space gmail_msg"> </span></span><span style="font-size:10.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg">nonce</span><span class="m_-2184436487686113870apple-converted-space gmail_msg"><span style="font-family:"Calibri","sans-serif"" class="gmail_msg"> </span></span><span style="font-family:"Calibri","sans-serif"" class="gmail_msg">Claim

 MUST NOT be present. Its use is prohibited to make a Logout Token syntactically invalid if used in a forged Authentication Response in place of an ID Token.<span class="m_-2184436487686113870apple-converted-space gmail_msg"> </span></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"><u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-family:"Calibri","sans-serif"" class="gmail_msg">Logout Tokens MAY contain other Claims. Any Claims used that are not understood MUST be ignored.</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"><u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-family:"Calibri","sans-serif"" class="gmail_msg">A Logout Token MUST be signed and MAY also be encrypted. The same keys are used to sign and encrypt Logout Tokens as are used for ID Tokens. NOTE: The Logout Token

 is compatible with<span class="m_-2184436487686113870apple-converted-space gmail_msg"> </span><a href="http://openid.net/specs/openid-connect-backchannel-1_0.html#I-D.ietf-secevent-token" class="gmail_msg" target="_blank"><span style="color:purple" class="gmail_msg">Security Event Token (SET)</span></a><span class="m_-2184436487686113870apple-converted-space gmail_msg"> </span>[I‑D.ietf‑secevent‑token]

 draft -00.</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"><u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="gmail_msg"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"><u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="gmail_msg"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"><u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm" class="gmail_msg">

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><b class="gmail_msg"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class="gmail_msg">From:</span></b><span class="m_-2184436487686113870apple-converted-space gmail_msg"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class="gmail_msg"> </span></span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class="gmail_msg">Nennker,

 Axel<span class="m_-2184436487686113870apple-converted-space gmail_msg"> </span><br class="gmail_msg">

<b class="gmail_msg">Sent:</b><span class="m_-2184436487686113870apple-converted-space gmail_msg"> </span>Thursday, March 16, 2017 12:49 PM<br class="gmail_msg">

<b class="gmail_msg">To:</b><span class="m_-2184436487686113870apple-converted-space gmail_msg"> </span>Mike Jones (<a href="mailto:Michael.Jones@microsoft.com" class="gmail_msg" target="_blank"><span style="color:purple" class="gmail_msg">Michael.Jones@microsoft.com</span></a>); John Bradley (<a href="mailto:ve7jtb@ve7jtb.com" class="gmail_msg" target="_blank"><span style="color:purple" class="gmail_msg">ve7jtb@ve7jtb.com</span></a>)<br class="gmail_msg">

<b class="gmail_msg">Cc:</b><span class="m_-2184436487686113870apple-converted-space gmail_msg"> </span><a href="mailto:openid-specs-ab@lists.openid.net" class="gmail_msg" target="_blank"><span style="color:purple" class="gmail_msg">openid-specs-ab@lists.openid.net</span></a><br class="gmail_msg">

<b class="gmail_msg">Subject:</b><span class="m_-2184436487686113870apple-converted-space gmail_msg"> </span>backchannel logout: events</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"><u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

</div>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"> <u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg">Hi,<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"> <u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg">Regarding<span class="m_-2184436487686113870apple-converted-space gmail_msg"> </span><a href="https://openid.net/specs/openid-connect-backchannel-1_0.html" class="gmail_msg" target="_blank"><span style="color:purple" class="gmail_msg">https://openid.net/specs/openid-connect-backchannel-1_0.html</span></a><u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"> <u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg">I am wondering what the reason behind events is:<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-family:"Calibri","sans-serif"" class="gmail_msg">events</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"><u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div style="margin-left:36.0pt" class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-family:"Calibri","sans-serif"" class="gmail_msg">REQUIRED. Claim whose value is a JSON object containing the member name<span class="m_-2184436487686113870apple-converted-space gmail_msg"> </span></span><span style="font-size:10.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"><a href="http://schemas.openid.net/event/backchannel-logout" class="gmail_msg" target="_blank"><span style="color:purple" class="gmail_msg">http://schemas.openid.net/event/backchannel-logout</span></a></span><span style="font-family:"Calibri","sans-serif"" class="gmail_msg">.

 This declares that the JWT is a Logout Token. The corresponding member value MUST be a JSON object and SHOULD be the empty JSON object<span class="m_-2184436487686113870apple-converted-space gmail_msg"> </span></span><span style="font-size:10.0pt;font-family:"Courier New"" class="gmail_msg">{}</span><span style="font-family:"Calibri","sans-serif"" class="gmail_msg">.</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"><u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"> <u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg">The reason, I think, to have “events” is to make the logout JWT compatible to SET:<span class="m_-2184436487686113870apple-converted-space gmail_msg"> </span><a href="https://tools.ietf.org/html/draft-ietf-secevent-token-01" class="gmail_msg" target="_blank"><span style="color:purple" class="gmail_msg">https://tools.ietf.org/html/draft-ietf-secevent-token-01</span></a><u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg">But SET states: “Security Events are not commands issued between parties”<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg">While openid-connect-backchannel-1_0.html JWT is a command.<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"> <u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg">If we want SET compatibility wouldn’t it make more sense to have a SET compatible response to the logout command?<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"> <u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg">Why is SET compatibility important? Is it important enough to justify this really strange type specifier?<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<pre style="background:white" class="gmail_msg">"events": {<u class="gmail_msg"></u><u class="gmail_msg"></u></pre>

<pre style="background:white" class="gmail_msg">     <a href="http://schemas.openid.net/event/backchannel-logout" class="gmail_msg" target="_blank"><span style="color:purple" class="gmail_msg">"http://schemas.openid.net/event/backchannel-logout"</span></a>: {}<u class="gmail_msg"></u><u class="gmail_msg"></u></pre>

<pre style="background:white" class="gmail_msg">     }<u class="gmail_msg"></u><u class="gmail_msg"></u></pre>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"> <u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg">Kind regards<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg">Axel<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"> <u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"> <u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"> <u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#999999" class="gmail_msg"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"><u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#999999" class="gmail_msg"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"><u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#999999" class="gmail_msg"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"><u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#999999" class="gmail_msg"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"><u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><b class="gmail_msg"><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";text-transform:uppercase" class="gmail_msg">DEUTSCHE TELEKOM AG</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"><u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif"" class="gmail_msg">T-Labs (Research & Innovation)<br class="gmail_msg">

Dipl.-Inform. Axel Nennker<br class="gmail_msg">

Winterfeldtstr. 21, 10781 Berlin<br class="gmail_msg">

</span><span lang="FR" style="font-size:8.0pt;font-family:"Arial","sans-serif"" class="gmail_msg"><a href="tel:+49%20170%202275312" value="+491702275312" class="gmail_msg" target="_blank">+491702275312</a> (Mobile)</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"><u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span lang="FR" style="font-size:8.0pt;font-family:"Arial","sans-serif"" class="gmail_msg">E-Mail:<span class="m_-2184436487686113870apple-converted-space gmail_msg"> </span><a href="mailto:axel.nennker@telekom.de" class="gmail_msg" target="_blank"><span style="color:purple" class="gmail_msg">axel.nennker@telekom.de</span></a></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"><u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<div class="gmail_msg">

<p class="MsoNormal gmail_msg" style="background:white"><span lang="DE" style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="gmail_msg"><u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

</div>

<p class="MsoNormal gmail_msg" style="background:white"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="gmail_msg"><br class="gmail_msg">

<br class="gmail_msg">

<br class="gmail_msg">

<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>

<pre style="background:white" class="gmail_msg">_______________________________________________<u class="gmail_msg"></u><u class="gmail_msg"></u></pre>

<pre style="background:white" class="gmail_msg">Openid-specs-ab mailing list<u class="gmail_msg"></u><u class="gmail_msg"></u></pre>

<pre style="background:white" class="gmail_msg"><a href="mailto:Openid-specs-ab@lists.openid.net" class="gmail_msg" target="_blank"><span style="color:purple" class="gmail_msg">Openid-specs-ab@lists.openid.net</span></a><u class="gmail_msg"></u><u class="gmail_msg"></u></pre>

<pre style="background:white" class="gmail_msg"><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" class="gmail_msg" target="_blank"><span style="color:purple" class="gmail_msg">http://lists.openid.net/mailman/listinfo/openid-specs-ab</span></a><u class="gmail_msg"></u><u class="gmail_msg"></u></pre>

</blockquote>

<p class="MsoNormal gmail_msg" style="margin-bottom:12.0pt"><u class="gmail_msg"></u> <u class="gmail_msg"></u></p>

</div>

</blockquote>

</div>

<p class="MsoNormal gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></p>

</div>

</div></div>

_______________________________________________<br class="gmail_msg">

Openid-specs-ab mailing list<br class="gmail_msg">

<a href="mailto:Openid-specs-ab@lists.openid.net" class="gmail_msg" target="_blank">Openid-specs-ab@lists.openid.net</a><br class="gmail_msg">

<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" class="gmail_msg" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br class="gmail_msg">

</blockquote></div><div dir="ltr">-- <br></div><div data-smartmail="gmail_signature"><p dir="ltr">Nat Sakimura</p>

<p dir="ltr">Chairman of the Board, OpenID Foundation</p>

</div>