Mike's comment (SUBSTANTIVE ISSUES)
My slightly late WGLC review follows...
SUBSTANTIVE ISSUES:
Section 3, paragraph 8: Change "extension variables such as "nonce", "userinfo", and "id_token"" to "extension parameters such as "nonce", "max_age", and "claims"". ("userinfo" and "id_token" are values within the "claims" extension parameter.)
Section 4.2, bullet 2: Change "The maximum URL length supported by Internet Explorer is 2083 ASCII characters" to "The maximum URL length supported by older versions of Internet Explorer was 2083 ASCII characters". (This has since been fixed. I know - because I filed the bug that resulted in the fix! :-) )
Section 4.2.1, paragraph 2: Change "requested values for Claims" to "private information".
Section 5.1: Change "The result MAY be either a signed or unsigned (plaintext) Request Object" to "The result MAY be either a JWT Claims Set representing the request parameters or if the JWE is a nested JWT, a signed JWT containing the request parameters".
Section 6, paragraph 2: Change "this document defines additional error values as follows" to "this document uses these additional error values".
Section 7: Change the IANA Considerations text to "This specification requests no actions by IANA."
Section 8, second paragraph: Delete the security considerations paragraph about not using "alg":"none". Using an Unsecured JWS is no worse than sending the parameters the usual way.
Comments (5)
-
reporter -
reporter - changed title to Mike's comment (SUBSTANTIVE ISSUES)
- edited description
-
reporter DOC
Section 3, paragraph 8: Change "extension variables such as "nonce", "userinfo", and "id_token"" to "extension parameters such as "nonce", "max_age", and "claims"". ("userinfo" and "id_token" are values within the "claims" extension parameter.)
accept
Section 4.2, bullet 2: Change "The maximum URL length supported by Internet Explorer is 2083 ASCII characters" to "The maximum URL length supported by older versions of Internet Explorer was 2083 ASCII characters". (This has since been fixed. I know - because I filed the bug that resulted in the fix! :-) )
accept
Section 4.2.1, paragraph 2: Change "requested values for Claims" to "private information".
Superseded by
#3.Section 5.1: Change "The result MAY be either a signed or unsigned (plaintext) Request Object" to "The result MAY be either a JWT Claims Set representing the request parameters or if the JWE is a nested JWT, a signed JWT containing the request parameters".
Superseded by
#3.Section 6, paragraph 2: Change "this document defines additional error values as follows" to "this document uses these additional error values".
accept.
Section 7: Change the IANA Considerations text to "This specification requests no actions by IANA."
accept.
Section 8, second paragraph: Delete the security considerations paragraph about not using "alg":"none". Using an Unsecured JWS is no worse than sending the parameters the usual way.
Reject. It is no worse, but it is better to sign. Thus, it is using "should".
-
reporter Re:
#1. Most accepted. A few Discuss / reject remains.→ <<cset 4a148c52fb34>>
-
reporter - changed status to resolved
Unresoved issues where made independent.
- Log in to comment
The last bullet of the last slide of https://www.ietf.org/proceedings/94/slides/slides-94-oauth-5.pdf says: Section 7 – False statement: ● The request_object_signing_alg OAuth Dynamic Client Registration Metadata is pending registration by OpenID Connect Dynamic Registration specification. ● The registry doesn't have it and Connect's Registration "makes no requests of IANA"
This not false. (I didn’t say so from the microphone in the room in the interest of time.) http://openid.net/specs/openid-connect-registration-1_0-29.html#DynRegContents, the current errata 2 draft version, contains the registration request for request_object_signing_alg. It has not yet been submitted to IANA but it will be soon.