diff --git a/openid-federation-1_0.xml b/openid-federation-1_0.xml
index b475d30..54a612d 100644
--- a/openid-federation-1_0.xml
+++ b/openid-federation-1_0.xml
@@ -6389,6 +6389,8 @@ HTTP/1.1 302 Found
REQUIRED.
Its value MUST be the Entity Identifier of the OP.
+ This claim is only used in Explicit Registration requests,
+ since it is not a general Entity Statement claim.
@@ -6437,6 +6439,13 @@ HTTP/1.1 302 Found
the content type to determine whether it contains an Entity Configuration
or an entire Trust Chain.
+
+ The OP MUST validate the RP's explicit registration request JWT.
+ All the normal Entity Statement validation rules apply.
+ In addition, if the aud (audience)
+ claim value is not the Entity Identifier of the OP,
+ then the request MUST be rejected.
+
If the request contains an Entity Configuration the OP
MUST use it to complete the Federation Entity Discovery by
@@ -6610,10 +6619,10 @@ HTTP/1.1 302 Found
REQUIRED.
- Its value MUST be the Entity Identifier of the RP. See
- for the full specification. This
- claim is specific to Explicit Registration responses and is
- not a general Entity Statement claim.
+ Its value MUST be the Entity Identifier of the RP.
+ See for the full specification.
+ This claim is used in Explicit Registration responses
+ but is not a general Entity Statement claim.
@@ -6677,6 +6686,10 @@ HTTP/1.1 302 Found
in a Trust Chain that the RP successfully resolved for the
OP when it prepared the Explicit Registration request.
+
+ The RP MUST verify that the aud (audience)
+ claim value is its Entity Identifier.
+
The RP MUST verify that the
trust_anchor_id represents one
@@ -9825,7 +9838,8 @@ Host: op.umu.se
-40
- TBD
+ Fixed #88: Explicitly require audience validation for
+ explicit registration requests and responses.