> OPs would still send "sub", since the pair ("iss", "sub") is the
> universal account identifier for OpenID Connect. It would just be
> computed in the specified manner.
I don't think that follows, Mike.
OP sends sub_jwk; RP calculates sub; now RP has {iss,sub} to use as universal
account id; regardless of whether sub was also transmitted. Better to save some
bytes; and eliminate an error condition (sub & sub_jwk mismatching).
--
James Manger
_______________________________________________
security mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-security
