<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<meta name="Generator" content="Microsoft Word 15 (filtered medium)">

<style><!--

/* Font Definitions */

@font-face

        {font-family:Helvetica;

        panose-1:2 11 6 4 2 2 2 2 2 4;}

@font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

        {font-family:Consolas;

        panose-1:2 11 6 9 2 2 4 3 2 4;}

@font-face

        {font-family:Tahoma;

        panose-1:2 11 6 4 3 5 4 4 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:11.0pt;

        font-family:"Calibri",sans-serif;}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {mso-style-priority:99;

        color:purple;

        text-decoration:underline;}

pre

        {mso-style-priority:99;

        mso-style-link:"HTML Preformatted Char";

        margin:0in;

        margin-bottom:.0001pt;

        font-size:10.0pt;

        font-family:"Courier New";}

p.msonormal0, li.msonormal0, div.msonormal0

        {mso-style-name:msonormal;

        mso-margin-top-alt:auto;

        margin-right:0in;

        mso-margin-bottom-alt:auto;

        margin-left:0in;

        font-size:11.0pt;

        font-family:"Calibri",sans-serif;}

span.inbox-inbox-apple-converted-space

        {mso-style-name:inbox-inbox-apple-converted-space;}

span.gmailmsg

        {mso-style-name:gmail_msg;}

span.m-2184436487686113870apple-converted-space

        {mso-style-name:m_-2184436487686113870apple-converted-space;}

span.HTMLPreformattedChar

        {mso-style-name:"HTML Preformatted Char";

        mso-style-priority:99;

        mso-style-link:"HTML Preformatted";

        font-family:Consolas;}

span.EmailStyle24

        {mso-style-type:personal-reply;

        font-family:"Calibri",sans-serif;

        color:#002060;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-family:"Calibri",sans-serif;}

@page WordSection1

        {size:8.5in 11.0in;

        margin:1.0in 1.0in 1.0in 1.0in;}

div.WordSection1

        {page:WordSection1;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

</head>

<body lang="EN-US" link="blue" vlink="purple">

<div class="WordSection1">

<p class="MsoNormal"><span style="color:#002060">I’d been thinking about the audience change suggestion and I’m not sure it’s a good idea for multi-tenant deployments.  Many clients potentially share common endpoints, and in some cases, they can be distinguished

 by Client ID but not by endpoints.<o:p></o:p></span></p>

<p class="MsoNormal"><span style="color:#002060"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="color:#002060">The multi-key proposal creates actual complexity, in that there are more keys to manage and roll-over and more code to test.  You can easily imagine site administrators remembering to roll over signing keys but

 not logout keys.  Given that the issuer of both ID Tokens and logout tokens is really the same entity, it only makes sense to keep the issuer and subject the same.<o:p></o:p></span></p>

<p class="MsoNormal"><span style="color:#002060"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="color:#002060">Finally, as discussed on the id-event list, there’s not an actual problem to solve:<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="color:#002060">“For all response_types except for “code”, the ID Token must have a “nonce” claim matching the request in order to be validated.  SETs won’t have this claim.  For response_type=code,

 the ID Token must be retrieved from the Token Endpoint to be valid.  But SETs aren’t returned as the id_token value from the Token Endpoint.  There isn’t a channel in which an attacker can successfully substitute a SET for an ID Token and have it validate

 as an ID Token.”<o:p></o:p></span></p>

<p class="MsoNormal"><span style="color:#002060"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="color:#002060">Frankly, I hope people will stop arguing from the premise that logout tokens and SETs will be confused with ID Tokens, because starting with a false premise isn’t a good way to further meaningful discussion.<o:p></o:p></span></p>

<p class="MsoNormal"><span style="color:#002060"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="color:#002060">                                                       -- Mike<o:p></o:p></span></p>

<p class="MsoNormal"><a name="_MailEndCompose"><span style="color:#002060"><o:p> </o:p></span></a></p>

<span style="mso-bookmark:_MailEndCompose"></span>

<p class="MsoNormal"><b>From:</b> Openid-specs-ab [mailto:openid-specs-ab-bounces@lists.openid.net]

<b>On Behalf Of </b>Nat Sakimura via Openid-specs-ab<br>

<b>Sent:</b> Saturday, March 25, 2017 12:24 PM<br>

<b>To:</b> Axel.Nennker@telekom.de; ve7jtb@ve7jtb.com; jricher@mit.edu<br>

<b>Cc:</b> openid-specs-ab@lists.openid.net<br>

<b>Subject:</b> Re: [Openid-specs-ab] backchannel logout: nonce and key<o:p></o:p></p>

<p class="MsoNormal"><o:p> </o:p></p>

<div>

<p class="MsoNormal">So, Axel, what do you think about "<span class="inbox-inbox-apple-converted-space"><span style="color:#212121"> </span></span><span style="color:#212121">use the URI that the client publishes for its backchannel endpoint as the audience

 rather than the client ID."?</span><o:p></o:p></p>

</div>

<p class="MsoNormal"><o:p> </o:p></p>

<div>

<div>

<p class="MsoNormal">On Wed, Mar 22, 2017 at 4:21 AM Axel Nennker via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<o:p></o:p></p>

</div>

<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span class="gmailmsg"><span style="color:#1F497D">If the issuer has a id_token_signing_key and a logout_command_signing_key then the receiver knows that the JWS is not a valid

 signed logout_command-JSON, right?</span></span><o:p></o:p></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span class="gmailmsg"><span style="color:#1F497D">If somebody tries to push an id_token into the logout endpoint then it would not validate because the wrong key is used.</span></span><o:p></o:p></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span class="gmailmsg"><span style="color:#1F497D"> </span></span><o:p></o:p></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span class="gmailmsg"><span style="color:#1F497D">I am not saying that different signing keys are the best solution but the proposed “solution” is hacky.</span></span><o:p></o:p></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span class="gmailmsg"><span style="color:#1F497D"> </span></span><o:p></o:p></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span class="gmailmsg"><span style="color:#1F497D">//Axel</span></span><o:p></o:p></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span class="gmailmsg"><span style="color:#1F497D"> </span></span><o:p></o:p></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span class="gmailmsg"><span style="color:#1F497D"> </span></span><o:p></o:p></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span class="gmailmsg"><span style="color:#1F497D"> </span></span><o:p></o:p></p>

<div>

<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span class="gmailmsg"><b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">From:</span></b></span><span class="gmailmsg"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">

 John Bradley [mailto:<a href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>]

</span></span><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif"><br>

<span class="gmailmsg"><b>Sent:</b> Friday, March 17, 2017 4:55 PM</span><br>

<span class="gmailmsg"><b>To:</b> Justin Richer</span><br>

<span class="gmailmsg"><b>Cc:</b> Nennker, Axel; Michael Jones; <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">

openid-specs-ab@lists.openid.net</a></span><br>

<span class="gmailmsg"><b>Subject:</b> Re: [Openid-specs-ab] backchannel logout: nonce and key</span></span><o:p></o:p></p>

</div>

</div>

</div>

</div>

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">A diffrent signing key won’t help unless the issuer is different.   <o:p></o:p></p>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">It is a double edged thing you want the issuer to be the same to know the logout source is the same as the login, however you don’t want the issuer to be the same to prevent the

 token from being mistaken as a id_token for login.<o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Logically it would be better to have a different logout audience for the client and change that.<o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">One option would be to use the URI that the client publishes for its backchannel endpoint as the audience rather then the client ID.<o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I think William made a proposal along those lines.<o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">John B.<o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>

</div>

<div>

<div>

<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On Mar 16, 2017, at 11:16 AM, Justin Richer <<a href="mailto:jricher@MIT.EDU" target="_blank">jricher@MIT.EDU</a>> wrote:<o:p></o:p></p>

</div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white;font-variant-caps:normal;text-align:start;word-spacing:0px">

+1<o:p></o:p></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">On 3/16/2017 7:58 AM, Axel Nennker via Openid-specs-ab wrote:</span></span><o:p></o:p></p>

</div>

<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt;font-variant-caps:normal;text-align:start;word-spacing:0px">

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg">Hi,</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg">Nonce in the logout JWT is prohibited</span><span class="m-2184436487686113870apple-converted-space"> </span><span class="gmailmsg">to make a Logout Token syntactically invalid compared to an id_token.</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg">Wouldn’t it be more secure to use another signing key than the id_token signing key?</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg">Prohibiting nonce is a hack.</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg">Kind regards</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg">Axel</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg"> </span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg">The following Claim MUST NOT be used within the Logout Token:</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg">nonce</span><o:p></o:p></p>

</div>

<div style="margin-left:1.0in">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg">PROHIBITED. A</span><span class="m-2184436487686113870apple-converted-space"> </span><span class="gmailmsg"><span style="font-size:10.0pt">nonce</span> Claim MUST NOT be present. Its use is prohibited to make a Logout Token syntactically

 invalid if used in a forged Authentication Response in place of an ID Token.</span><span class="m-2184436487686113870apple-converted-space"> </span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg">Logout Tokens MAY contain other Claims. Any Claims used that are not understood MUST be ignored.</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg">A Logout Token MUST be signed and MAY also be encrypted. The same keys are used to sign and encrypt Logout Tokens as are used for ID Tokens. NOTE: The Logout Token is compatible with</span><span class="m-2184436487686113870apple-converted-space"> </span><span class="gmailmsg"><a href="http://openid.net/specs/openid-connect-backchannel-1_0.html#I-D.ietf-secevent-token" target="_blank"><span style="color:purple">Security

 Event Token (SET)</span></a></span><span class="m-2184436487686113870apple-converted-space"> </span><span class="gmailmsg">[I‑D.ietf‑secevent‑token] draft -00.</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg"><span style="color:#1F497D"> </span></span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg"><span style="color:#1F497D"> </span></span><o:p></o:p></p>

</div>

<div>

<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg"><b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">From:</span></b></span><span class="gmailmsg"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif"> Nennker, Axel</span></span><span class="m-2184436487686113870apple-converted-space"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif"> </span></span><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif"><br>

<span class="gmailmsg"><b>Sent:</b></span><span class="m-2184436487686113870apple-converted-space"> </span><span class="gmailmsg">Thursday, March 16, 2017 12:49 PM</span><br>

<span class="gmailmsg"><b>To:</b></span><span class="m-2184436487686113870apple-converted-space"> </span><span class="gmailmsg">Mike Jones (<a href="mailto:Michael.Jones@microsoft.com" target="_blank"><span style="color:purple">Michael.Jones@microsoft.com</span></a>);

 John Bradley (<a href="mailto:ve7jtb@ve7jtb.com" target="_blank"><span style="color:purple">ve7jtb@ve7jtb.com</span></a>)</span><br>

<span class="gmailmsg"><b>Cc:</b></span><span class="m-2184436487686113870apple-converted-space"> </span><span class="gmailmsg"><a href="mailto:openid-specs-ab@lists.openid.net" target="_blank"><span style="color:purple">openid-specs-ab@lists.openid.net</span></a></span><br>

<span class="gmailmsg"><b>Subject:</b></span><span class="m-2184436487686113870apple-converted-space"> </span><span class="gmailmsg">backchannel logout: events</span></span><o:p></o:p></p>

</div>

</div>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg"> </span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg">Hi,</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg"> </span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg">Regarding</span><span class="m-2184436487686113870apple-converted-space"> </span><span class="gmailmsg"><a href="https://openid.net/specs/openid-connect-backchannel-1_0.html" target="_blank"><span style="color:purple">https://openid.net/specs/openid-connect-backchannel-1_0.html</span></a></span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg"> </span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg">I am wondering what the reason behind events is:</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg">events</span><o:p></o:p></p>

</div>

<div style="margin-left:.5in">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg">REQUIRED. Claim whose value is a JSON object containing the member name</span><span class="m-2184436487686113870apple-converted-space"> </span><span class="gmailmsg"><span style="font-size:10.0pt"><a href="http://schemas.openid.net/event/backchannel-logout" target="_blank"><span style="color:purple">http://schemas.openid.net/event/backchannel-logout</span></a></span>.

 This declares that the JWT is a Logout Token. The corresponding member value MUST be a JSON object and SHOULD be the empty JSON object</span><span class="m-2184436487686113870apple-converted-space"> </span><span class="gmailmsg"><span style="font-size:10.0pt;font-family:"Courier New"">{}</span>.</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg"> </span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg">The reason, I think, to have “events” is to make the logout JWT compatible to SET:</span><span class="m-2184436487686113870apple-converted-space"> </span><span class="gmailmsg"><a href="https://tools.ietf.org/html/draft-ietf-secevent-token-01" target="_blank"><span style="color:purple">https://tools.ietf.org/html/draft-ietf-secevent-token-01</span></a></span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg">But SET states: “Security Events are not commands issued between parties”</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg">While openid-connect-backchannel-1_0.html JWT is a command.</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg"> </span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg">If we want SET compatibility wouldn’t it make more sense to have a SET compatible response to the logout command?</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg"> </span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg">Why is SET compatibility important? Is it important enough to justify this really strange type specifier?</span><o:p></o:p></p>

</div>

<pre style="background:white">"events": {<o:p></o:p></pre>

<pre style="background:white">     <a href="http://schemas.openid.net/event/backchannel-logout" target="_blank"><span class="gmailmsg"><span style="color:purple">"http://schemas.openid.net/event/backchannel-logout"</span></span></a>: {}<o:p></o:p></pre>

<pre style="background:white">     }<o:p></o:p></pre>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg"> </span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg">Kind regards</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg">Axel</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg"> </span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg"> </span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg"> </span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#999999"> </span></span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#999999"> </span></span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#999999"> </span></span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#999999"> </span></span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg"><b><span lang="DE" style="font-size:8.0pt;font-family:"Arial",sans-serif;text-transform:uppercase">DEUTSCHE TELEKOM AG</span></b></span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg"><span lang="DE" style="font-size:8.0pt;font-family:"Arial",sans-serif">T-Labs (Research & Innovation)</span></span><span lang="DE" style="font-size:8.0pt;font-family:"Arial",sans-serif"><br>

<span class="gmailmsg">Dipl.-Inform. Axel Nennker</span><br>

<span class="gmailmsg">Winterfeldtstr. 21, 10781 Berlin</span><br>

</span><span class="gmailmsg"><span lang="FR" style="font-size:8.0pt;font-family:"Arial",sans-serif"><a href="tel:+49%20170%202275312" target="_blank">+491702275312</a> (Mobile)</span></span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg"><span lang="FR" style="font-size:8.0pt;font-family:"Arial",sans-serif">E-Mail:</span></span><span class="m-2184436487686113870apple-converted-space"><span lang="FR" style="font-size:8.0pt;font-family:"Arial",sans-serif"> </span></span><span class="gmailmsg"><span lang="FR" style="font-size:8.0pt;font-family:"Arial",sans-serif"><a href="mailto:axel.nennker@telekom.de" target="_blank"><span style="color:purple">axel.nennker@telekom.de</span></a></span></span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">

<span class="gmailmsg"><span lang="DE"> </span></span><o:p></o:p></p>

</div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt;background:white">

<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><br>

<br>

</span><o:p></o:p></p>

<pre style="background:white">_______________________________________________<o:p></o:p></pre>

<pre style="background:white">Openid-specs-ab mailing list<o:p></o:p></pre>

<pre style="background:white"><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank"><span class="gmailmsg"><span style="color:purple">Openid-specs-ab@lists.openid.net</span></span></a><o:p></o:p></pre>

<pre style="background:white"><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank"><span class="gmailmsg"><span style="color:purple">http://lists.openid.net/mailman/listinfo/openid-specs-ab</span></span></a><o:p></o:p></pre>

</blockquote>

<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"> <o:p></o:p></p>

</div>

</blockquote>

</div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>

</div>

</div>

</div>

<p class="MsoNormal">_______________________________________________<br>

Openid-specs-ab mailing list<br>

<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>

<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p>

</blockquote>

</div>

<div>

<p class="MsoNormal">-- <o:p></o:p></p>

</div>

<div>

<p>Nat Sakimura<o:p></o:p></p>

<p>Chairman of the Board, OpenID Foundation<o:p></o:p></p>

</div>

</div>

</body>

</html>