[Openid-specs-risc] openid/sharedsignals: Comment created on issue 230

[github at oidf.org]

openid/sharedsignals event

Issue Comment created on issue 230
Issue Title: Confusion about the origin of the 'aud' value in the stream configuration
https://github.com/openid/sharedsignals/issues/230

Comment: I have now seen three possibilities for defining the `aud` value in implementations. We should decide which of these is the "correct" way to do things so that Transmitters and Receivers can all build with the same expectations. 1. ReceiverCompany says, _"My aud value is www.receivercompany.com"._ They set up an agreement with TransmitterCompany so that any streams set up between the two companies use "www.receivercompany.com" as the aud value. The auth provided during stream creation allows the Transmitter to check that the Receiver is coming from ReceiverCompany and it is safe to send that aud value. 2. ReceiverCompany says, _"My aud value is www.receivercompany.com"_. TransmitterCompany offers a UI that allows an admin to create a stream with any company. In the UI, the admin is asked to plug in the aud value. For streams that the admin creates with ReceiverCompany, they plug in "www.receivercompany.com" as the aud value. The auth provided during stream creation allows the Transmitter to check that the Receiver is coming from ReceiverCompany and it is safe to send that aud value. 3. When TransmitterCompany creates a stream, they generate a unique aud value for the stream without regard for what company runs the Receiver. The auth provided during stream creation ensures that this is safe and uniquely identifies a Receiver.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20250916/a509dca6/attachment.htm>