[Openid-specs-ab] Spec call notes 12-Aug-13

Mike Jones Michael.Jones at microsoft.com
Tue Aug 13 00:28:12 UTC 2013

Spec call notes 12-Aug-13

John Bradley
Mike Jones
Nat Sakimura
Edmund Jay

                Open Issues
                Document Restructuring
                JOSE Issues
                Key Agreement Examples

Open Issues:
                #863 - Stateless Registration Discovery/Messages
                                John will still needs to a comment about the alternative method for doing this
                #864 - Native Client code leakage
                                John still needs to add a comment describing Brian's concern about mixing the layers
                John still needs to file a bug on the possibility of clients using the Code flow registering for "alg":"none"
                John hopes to do these tonight
                #865 - Registration needs update capability too
                                For instance, to update your default_acr_values, singing key location, redirect_uris, etc. values
                                We could say that if the server supports the OAuth registration spec, that additional operations like update and delete could be used
                                The alternatives are to pull that functionality into OpenID Connect or to leave that functionality absent
                #866 - Why are there two different ways to request acr?
                                See the comments in the issue
                People should participate in the thread [Openid-specs-ab] acr values
                Mike will write proposed text about Torsten's MTI issues raised in Berlin
                We should plan to apply any changes we make at least a month before the Final vote, so people have time to review them

Document Restructuring:
                Nat is still working on a document restructuring proposal
                He may be able to finish a proposal this week

JOSE Issues:
                A number of JOSE issues could result in breaking changes and/or additional implementation complexity
                                [jose] #36: Algorithm "none" should be removed
                                [jose] #41: Add key wrap to the "use" member in key containers
                                [jose] #42: Should alg be required for symmetric keys?
                                                We could handle this in a "should be included unless the application knows this through other means" manner
                                [jose] #50: "cty" (content type) should hold a media type
                                [jose] #53: Use "SEC1" format for elliptic curve keys
                                                We might need to define additional parameters for binary curves, should they need to be supported
                                [jose] #55: Mandatory entropy in ECC KDF inputs
                                [jose] #59: Allow direct signing and align with AAD
                                [jose] #28: AES-GCM should not be allowed for content encryption in combination with Direct Encryption key management mode
                People are encourage to review these and all pending JOSE issues
                The next JOSE call will be at 4pm Pacific on Monday, August 19th (when the OpenID Connect call normally is)

Key Agreement Examples:
                Brian, Edmund, and Axel are all getting the same values
                Mike will update the JWA example accordingly
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130813/06b966ba/attachment.html>

More information about the Openid-specs-ab mailing list