<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">Hi Torsten,</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">thanks for the feedback. Some comments
below.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Am 06.06.20 um 10:35 schrieb Torsten
Lodderstedt:<br>
</div>
<blockquote type="cite"
cite="mid:89CB8B06-3E4B-4299-9ADE-874C0DA0CDCC@lodderstedt.net">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Hi Daniel,</div>
<div dir="ltr"><br>
<blockquote type="cite">Am 05.06.2020 um 10:20 schrieb Daniel
Fett via Openid-specs-fapi
<a class="moz-txt-link-rfc2396E" href="mailto:openid-specs-fapi@lists.openid.net"><openid-specs-fapi@lists.openid.net></a>:</blockquote>
</div>
<br>
<div>Here are my comments:</div>
</blockquote>
<blockquote type="cite"
cite="mid:89CB8B06-3E4B-4299-9ADE-874C0DA0CDCC@lodderstedt.net">
<div><span style="caret-color: rgb(23, 43, 77); color: rgb(23, 43,
77); font-family: -apple-system, BlinkMacSystemFont,
"Segoe UI", Roboto, Oxygen, Ubuntu, "Fira
Sans", "Droid Sans", "Helvetica
Neue", sans-serif; font-size: 14px;
-webkit-text-size-adjust: auto; background-color: rgb(255,
255, 255);">- „</span><span style="caret-color: rgb(23, 43,
77); color: rgb(23, 43, 77); font-family: -apple-system,
BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen,
Ubuntu, "Fira Sans", "Droid Sans",
"Helvetica Neue", sans-serif; font-size: 14px;
-webkit-text-size-adjust: auto; background-color: rgb(255,
255, 255);"> shall support at least one of the following
methods to sign the authorization response:“</span></div>
<div><font face="-apple-system, BlinkMacSystemFont, Segoe UI,
Roboto, Oxygen, Ubuntu, Fira Sans, Droid Sans, Helvetica Neue,
sans-serif" color="#172b4d"><span style="caret-color: rgb(23,
43, 77); font-size: 14px; -webkit-text-size-adjust: auto;
background-color: rgb(255, 255, 255);">I think the AS must
support at least one mode for interoperability reasons. I
think this should be JARM and ID token may be supported (for
the purpose of this profile) for backward compatibility
reasons.</span></font></div>
</blockquote>
<font color="#172b4d"><font face="-apple-system, BlinkMacSystemFont,
Segoe UI, Roboto, Oxygen, Ubuntu, Fira Sans, Droid Sans,
Helvetica Neue, sans-serif">Good point. In the spirit of forcing
on-the-wire interop, making JARM a "shall" makes sense.</font></font><br>
<blockquote type="cite"
cite="mid:89CB8B06-3E4B-4299-9ADE-874C0DA0CDCC@lodderstedt.net">
<div><font face="-apple-system, BlinkMacSystemFont, Segoe UI,
Roboto, Oxygen, Ubuntu, Fira Sans, Droid Sans, Helvetica Neue,
sans-serif" color="#172b4d"><span style="caret-color: rgb(23,
43, 77); font-size: 14px; -webkit-text-size-adjust: auto;
background-color: rgb(255, 255, 255);">„</span></font><span
style="caret-color: rgb(23, 43, 77); color: rgb(23, 43, 77);
font-family: -apple-system, BlinkMacSystemFont, "Segoe
UI", Roboto, Oxygen, Ubuntu, "Fira Sans",
"Droid Sans", "Helvetica Neue",
sans-serif; font-size: 14px; -webkit-text-size-adjust: auto;">OPEN
QUESTION: how to handle userinfo response type selection? OIDC
core says: depends on client registration“ I think that's
fine. We use the same philosophy for all sorts of request and
response signing. It’s determined by client registration
parameters + general deployment metadata (what is generally
supported/expected).</span></div>
</blockquote>
Makes sense. I removed this question. I wonder if we should make the
userinfo mandatory for OIDC-supporting implementations, but I feel
that this can be left up to the implementers.<br>
<p>I also made fixes for the other two points that you raised. I
will upload a new version in the next minutes.</p>
<p>-Daniel<br>
</p>
<blockquote type="cite"
cite="mid:89CB8B06-3E4B-4299-9ADE-874C0DA0CDCC@lodderstedt.net">
<div><span style="caret-color: rgb(23, 43, 77); color: rgb(23, 43,
77); font-family: -apple-system, BlinkMacSystemFont,
"Segoe UI", Roboto, Oxygen, Ubuntu, "Fira
Sans", "Droid Sans", "Helvetica
Neue", sans-serif; font-size: 14px;
-webkit-text-size-adjust: auto; background-color: rgb(255,
255, 255);"><br>
</span></div>
<div><span style="caret-color: rgb(23, 43, 77); color: rgb(23, 43,
77); font-family: -apple-system, BlinkMacSystemFont,
"Segoe UI", Roboto, Oxygen, Ubuntu, "Fira
Sans", "Droid Sans", "Helvetica
Neue", sans-serif; font-size: 14px;
-webkit-text-size-adjust: auto; background-color: rgb(255,
255, 255);">best regards,</span></div>
<div><span style="caret-color: rgb(23, 43, 77); color: rgb(23, 43,
77); font-family: -apple-system, BlinkMacSystemFont,
"Segoe UI", Roboto, Oxygen, Ubuntu, "Fira
Sans", "Droid Sans", "Helvetica
Neue", sans-serif; font-size: 14px;
-webkit-text-size-adjust: auto; background-color: rgb(255,
255, 255);">Torsten.</span></div>
<blockquote type="cite">
<div dir="ltr">
<p>One open question is whether we can give recommendations
regarding resource request and response signing. We
currently have <a
href="https://bitbucket.org/openid/fapi/src/master/Financial_API_HTTP_Signing.md"
moz-do-not-send="true">https://bitbucket.org/openid/fapi/src/master/Financial_API_HTTP_Signing.md</a>
which lists "typical requirements" but does not give
concrete advice.</p>
<p>eTSI is developding JAdES and there is some work ongoing in
the IETF HTTP group as well.</p>
<p>What are other options that we should take a look at?</p>
<p>-Daniel<br>
</p>
<span>_______________________________________________</span><br>
<span>Openid-specs-fapi mailing list</span><br>
<span><a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-fapi@lists.openid.net">Openid-specs-fapi@lists.openid.net</a></span><br>
<span><a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a></span><br>
</div>
</blockquote>
</blockquote>
<p><br>
</p>
</body>
</html>