Re: [OAUTH-WG] WGLC on Assertion Drafts

Chuck Mortimore <> Fri, 13 April 2012 17:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C2C7D21F87A5 for <>; Fri, 13 Apr 2012 10:20:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ywhtWuUTLjD9 for <>; Fri, 13 Apr 2012 10:20:14 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id 04CCA21F87A2 for <>; Fri, 13 Apr 2012 10:20:13 -0700 (PDT)
Received: from ([]) by ([]) with SMTP ID; Fri, 13 Apr 2012 10:20:14 PDT
Received: from ([]) by ([]) with mapi; Fri, 13 Apr 2012 10:20:13 -0700
From: Chuck Mortimore <>
To: "Zeltsan, Zachary (Zachary)" <>, "Tschofenig, Hannes (NSN - FI/Espoo)" <>, "" <>
Date: Fri, 13 Apr 2012 10:20:10 -0700
Thread-Topic: [OAUTH-WG] WGLC on Assertion Drafts
Message-ID: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_CBADAE5A2A162cmortimoresalesforcecom_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] WGLC on Assertion Drafts
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 13 Apr 2012 17:20:17 -0000

Hi Zachary - sorry about the delay in responding.

Perhaps the language is a bit confusing - let me explain the intent and see if it makes sense and if you have a recommendation on how it could be made clearer.

All this is really saying is that the Authorization server must validate the signature to make sure the Issuer is who they say they are.   The authorization server would use the Issuer as it's mechanism for looking up either the shared secret for an HS256 or the public key for RS256.   It then checks the signature, and proves to itself that the generator of the assertion had possession of the expected keying material and identified itself as the issuer.

Feedback welcome


On 4/5/12 1:33 PM, "Zeltsan, Zachary (Zachary)" <> wrote:


The draft, section 6.1 has the following requirement:

The Authorization Server MUST validate the assertion in order to
      establish a mapping between the Issuer and the secret used to generate the assertion.

I thought that checking a signature is a part of the assertion validation, which cannot be done without knowing the mapping between the issuer and the secret used to generate the assertion.
It appears that the quoted text requires validation of the assertion prior to checking the signature.
What am I missing?


From: [] On Behalf Of Tschofenig, Hannes (NSN - FI/Espoo)
Sent: Thursday, April 05, 2012 10:47 AM
Subject: [OAUTH-WG] WGLC on Assertion Drafts

Hi all,

this is a Last Call for comments on these three documents:

Please have your comments in no later than April 23rd.

Do remember to send a note in if you have read the document and have no other comments other than "it's ready to go" - we need those as much as we need "I found a problem".


Hannes & Derek