[Openid-specs-ab] Spec call notes 21-May-12

Mike Jones Michael.Jones at microsoft.com
Tue May 22 00:22:53 UTC 2012


Spec call notes 21-May-12

Mike Jones
Nat Sakimura
Edmund Jay
Pamela Dingle
John Bradley

Agenda:
                Open Issues
                Editing and Release Planning
                JOSE
                Discovery
                OAuth

Open Issues:
                #360 Registration 2.1 - What is application_type (native, web) used for?
                                Mike will send a reminder - Causes differences in flows that you can use,
                                changes security properties, changes whether you can get a refresh token
                #539 Messages - 0. Add scope for offline access
                                We need someone to make a specific proposal - Mike will ask for one
                                One issue is whether we require a stateful IdP like AOL
                                                AOL invalidates Access Tokens when the session ends
                                                AOL refresh tokens only valid for the life of the life of the authentication session
                #562: Standard - Nonce implementation suggestion is worded too strongly
                                On John's to-do list
                #578 Messages - 4.4 Symmetric Encryption key using client_secret
                                We should still describe how this can be done but say that it is not recommended
                #582 Overlay client request registration over the authentication request
                                The working group requests that Nat produce a specific proposal of what would be added
                #584: Messages - Username claim
                                The working group decided to do local_user_handle if anything and requested more specific feedback
                #587: Registration - 2.1 Should mention about OAuth Bearer Authz Scheme
                                Assigned to John after he left the call to catch a flight
                #591 Behavior for clients without registered redirect_uris is not well defined
                                The WG believes that we need to be more specific than OAuth was to avoid problems
                #594 Basic 2.1, Implicit 2.1 - claims_in_id_token scope missing
                                Mike will fix

Editing and Release Planning:
                Nat, John, Mike, and Edmund got most of the changes decided upon at the face-to-face done last week
                We should finish the changes with normative impact, other than #566 and #582 before doing a release
                Mike got all his assigned edits checked in, but has one new one: #594
                Nat has done all his normative checkins, and may do some of the nice-to-haves such as #257 & #543
                We need John to do #562 & #578 before the release.  Nice-to-have would be #587

JOSE:
                We need to be actively following and participating in the discussions on the JOSE list
                                https://www.ietf.org/mailman/listinfo/jose

Discovery:
                Murray Kucherawy (the IETF Apps WG chair) let Mike know that the Apps WG has been told that it can't
                                add another spec until work on an inactive one officially stops or one is finished
                Murray believe this will happen in June

OAuth:
                The JWT and the JWT Profile specs are about to be submitted by Mike as OAuth WG specs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120522/2fd6b231/attachment.html>


More information about the Openid-specs-ab mailing list