[Openid-specs-ab] 24 hour notice for review of potential Implementer's Drafts

John Bradley ve7jtb at ve7jtb.com
Thu May 30 22:19:39 UTC 2013

There are two likely possibilities one is as you suggest
1: adding a claim that is the JWS signed discovery document, The only downside to this is increasing the size of the non signed document.
2: using content negotiation to request it as a JWS.  

They are both non breaking changes that can be experimented with, from a discovery perspective. 

The missing part is describing the trust model in some sensible way, which is probably a separate document.

Option 2 also has the advantage that it requires no real changes to the discovery spec other than pointing to JWS and specifying the mime type from that spec.

We have sort of run down on time for getting Connect out, so new features that can be added later are a lower priority.

The Account chooser WG meting coming up is planning on discussing there requirements for trusted meta-data at the F2F in Redmond June 11 as well. 

We can discuss it more on Sunday.

John B.

On 2013-05-30, at 5:59 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:

> Hi Leif,
> I’m sorry that discussion on this dropped off before it reached any definitive conclusions.  I must admit, it slipped off my personal radar while trying to get the updated JOSE drafts and Connect drafts out in a timely manner.
> I think we should proceed with the drafts as-is and not try to slip this in at the last minute, in part, because I think there are unanswered issues and questions about the proposal.  Some of those are:
>   - I’m personally queasy with the proposal that we duplicate all the discovery information in a signed form.  That raises questions about who checks the consistency, what happens if they’re inconsistent, etc.
>   - An alternative would be to take an either/or approach, where either the discovery claims are in plaintext or they’re in a singed JWT.  But that makes clients more complicated.
> If there weren’t those unanswered questions, I’d probably feel differently about adding it now.
> The good news is that your proposal is additive, rather than a breaking change.  So if we decide in the next few months that we want to do it as you proposed, we can always add it before the specs go final.  So keep the discussion going…
> Anyway, that’s how I see it.
>                                                                 -- Mike
> From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Leif Johansson
> Sent: Thursday, May 30, 2013 12:10 PM
> To: openid-specs-ab at lists.openid.net
> Subject: Re: [Openid-specs-ab] 24 hour notice for review of potential Implementer's Drafts
> On 05/30/2013 05:48 PM, Mike Jones wrote:
> Unless anyone expresses objections and clearly describes the specific changes they think are needed before we declare the start of the Implementer’s Draft review, we will go with the current specs 24 hours from now.  The specs are at the locations below.  See the History entries for a summary of (the minor) changes that have been made.
> ·         http://openid.net/specs/openid-connect-basic-1_0-27.html
> ·         http://openid.net/specs/openid-connect-implicit-1_0-10.html
> ·         http://openid.net/specs/openid-connect-messages-1_0-19.html
> ·         http://openid.net/specs/openid-connect-standard-1_0-20.html
> ·         http://openid.net/specs/openid-connect-discovery-1_0-16.html
> ·         http://openid.net/specs/openid-connect-registration-1_0-18.html
> ·         http://openid.net/specs/openid-connect-session-1_0-14.html
>                                                             -- Mike
> I'm not seeing any discussion of the signed-discovery response idea that I floated
> a couple of weeks ago. The idea seemed to have some support on the list but I
> confess to being un-informed about the procedure for moving forward with that
> idea.
>         Cheers Leif
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130530/f4eda855/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4507 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130530/f4eda855/attachment.p7s>

More information about the Openid-specs-ab mailing list