
<html>

  <head>

    <meta content="text/html; charset=windows-1252"

      http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    Your three points below aren't related to each other --

    specifically, the middle one about resource registration isn't

    related to key publication, at all. <br>

    <br>

    To the middle point: We state that the AS needs to support dynamic

    resource registration (and client registration, which is a

    prerequisite) and must allow the issuance of the corresponding PAT

    through a normal OAuth flow (as opposed to the magical "you get a

    token somehow we don't care" method in Core UMA). Such OAuth

    behavior is already profiled in the OAuth profile which profiles

    OAuth. If you think this can be clearer, please submit text making

    it so.<br>

    <br>

    To the first and third points: It's stated in the OAuth profile that

    the AS's JWK Set must be able to be fetched over HTTPS and may be

    cached. It's up to the other side to do the fetching and caching,

    including any RS that needs to register sets. I don't believe that

    needs to be spelled out separately, but if you think it does, please

    submit text.<br>

    <br>

    Thanks,<br>

     -- Justin<br>

    <br>

    <div class="moz-cite-prefix">On 12/3/2015 4:35 AM, Adrian Gropper

      wrote:<br>

    </div>

    <blockquote

cite="mid:CANYRo8j0cwM+CE0uP0==66yo+5UeJ_ixxtSRYs4jRQWKYm2T8Q@mail.gmail.com"

      type="cite">

      <meta http-equiv="Content-Type" content="text/html;

        charset=windows-1252">

      <div dir="ltr">

        <div>In section 4.1 Discovery of <a moz-do-not-send="true"

            href="http://openid.bitbucket.org/HEART/openid-heart-oauth2.html">http://openid.bitbucket.org/HEART/openid-heart-oauth2.html</a>,

          we have the requirement for each AS to have a public key (

          jwks_uri The fully qualified URI of the server's public key in

          <a moz-do-not-send="true"

href="http://openid.bitbucket.org/HEART/openid-heart-oauth2.html#RFC7517">JWK

            Set</a> <cite title="NONE">[RFC7517]</cite> format

          ) This is good and clear.<br>

          <br>

        </div>

        <div>Correspondingly, in the UMA profile <a

            moz-do-not-send="true"

            href="http://openid.bitbucket.org/HEART/openid-heart-uma.html"><a class="moz-txt-link-freetext" href="http://openid.bitbucket.org/HEART/openid-heart-uma.html">http://openid.bitbucket.org/HEART/openid-heart-uma.html</a></a>

          I might expect a clearer reference to the resource

          registration aspects of UMA. As far as I can tell, this is

          mentioned in Section 2. Tokens as "It is RECOMMENDED that the

          PAT use a user-delegated mechanism for issuance and the AAT

          use a non-delegated method for issuance."<br>

          <br>

        </div>

        <div>Does the HEART UMA profile require that a Resource Server

          MUST be capable of storing a separate AS public key

          (presumably the jwks_uri in OAuth 4.1) for every registered

          resource? If so, where is this stated and could it be made

          clearer?<br>

          <br>

        </div>

        <div>Adrian<br>

        </div>

        <div>

          <div><br>

            -- <br>

            <div class="gmail_signature">

              <div dir="ltr">

                <div>

                  <div dir="ltr">

                    <div>

                      <div dir="ltr">

                        <div><br>

                          <div dir="ltr">Adrian Gropper MD<span

                              style="font-size:11pt"></span><br>

                            <br>

                            <span

                              style="font-family:"Arial",sans-serif;color:rgb(31,73,125)">PROTECT

                              YOUR FUTURE - RESTORE Health Privacy!</span><span

style="font-family:"Arial",sans-serif;color:rgb(31,73,125)"><br>

                              HELP us fight for the right to control

                              personal health data.</span><span

                              style="font-family:"Arial",sans-serif;color:rgb(31,73,125)"></span><span

style="font-family:"Arial",sans-serif;color:rgb(31,73,125)"><br>

                              DONATE:

                              <a moz-do-not-send="true"

                                href="http://patientprivacyrights.org/donate-2/"

                                target="_blank"><span

                                  style="color:rgb(5,99,193)">http://patientprivacyrights.org/donate-2/</span></a></span><span

                              style="color:rgb(31,73,125)"></span>

                          </div>

                        </div>

                      </div>

                    </div>

                  </div>

                </div>

              </div>

            </div>

          </div>

        </div>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">_______________________________________________

Openid-specs-heart mailing list

<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-heart@lists.openid.net">Openid-specs-heart@lists.openid.net</a>

<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-heart">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a>

</pre>

    </blockquote>

    <br>

  </body>

</html>