[Openid-specs-ab] Spec call notes 20-Jun-11

Mike Jones Michael.Jones at microsoft.com
Mon Jun 20 23:23:44 UTC 2011


Spec call notes 20-Jun-11

Nat Sakimura
Mike Jones
John Bradley
Edmund Jay
Breno de Medeiros

The Connect specs are now checked in at http://svn.openid.net/repos/specifications/connect/1.0/ and available in HTML and TXT versions in the openid.net specs directory.  See:
http://openid.net/specs/openid-connect-core-1_0.html
http://openid.net/specs/openid-connect-ab-1_0.html
http://openid.net/specs/openid-connect-code-1_0.html
http://openid.net/specs/openid-connect-swd-1_0.html
http://openid.net/specs/openid-connect-userinfo-1_0.html

Status check of each sub-specs:

- Core
                Breno to send feedback to the list, including about:
                                Breno:  Core section 4 - "Authorization type must include token"
                                Request parameter name 4.1.1 "req" -> "request" for consistency
                                Session audience "session_audience"
                                4.1.1.1 Why is "server_id" not "issuer" or "origin"?
                                                Different than other things named "*_id"
                Breno asked why the code binding is separate from the core?
                                Nat responded because the core introduces the protocol elements and not just the messages
                                Breno said that having the code define the standard bindings would eliminate a lot of duplication
                                One possibility is to have binding subsections defining the code binding in the core spec
                                Nat asked how this applies to the implicit flow
                Session management spec currently in core. Maybe make separate?
                                Session management may not make sense outside of HTTP binding
                                Breno doesn't want to create more documents than we have to
                                But session management is clearly specific to the HTTP binding
                                Nat said that since a session is an identity token, it could make sense for other bindings

- UserInfo
                Mike asked whether the address claim should be a structure or a set of individual claims
                We decided to use a structured address claim with fields like postal_code

- Session Management
                4.1.1 Missing session parameter than can be passed in every request to indicate user

- Dynamic Registration
                John sent an OpenID Connect Simple Client Registration draft for feedback
                John gave us background

- JWE
                Mike plans to do the JWT encryption work following an OAuth bearer token update

- OpenID 2.0 Migration
                Breno wants to defer working on the migration spec this until the discovery is solid

We agreed that finishing the missing functionality is the top priority (rather than editorial restructuring)
Nat will send an invitation for a supplemental call in three days on Thursday Pacific / Friday Japan at the standard time

We will begin doing version control at http://svn.openid.net/repos/specifications/connect
Mike will work on subversion access for the active editors using these e-mail addresses:
                sakimura at gmail.com
                ve7jtb at ve7jtb.com
                ejay at mgi1.com
                breno at google.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110620/db35f15c/attachment.html>


More information about the Openid-specs-ab mailing list