[Openid-specs-ab] Spec call notes 19-Sep-13

Mike Jones Michael.Jones at microsoft.com
Thu Sep 19 15:15:57 UTC 2013


Spec call notes 19-Sep-13

Brian Campbell
Nat Sakimura
George Fletcher
John Bradley
Justin Richer
Edmund Jay
Mike Jones

Agenda:
               Ad-hoc discussion on registration
               Ad-hoc discussion on OAuth Assertions drafts
               Pre-IIW Meeting
               Possible Pre-IETF 88 Meeting
               Open Issues
               Document Restructuring
               JOSE Issues

Ad-hoc discussion on registration:
               In the stateless case, OpenID registration shouldn't require returning a registration access token
               Justin's refactored OAuth draft actually already does this

Ad-hoc discussion on OAuth Assertions drafts:
               Mike sent a note agreeing with Brian that he knows of no new text that needs to be added

Pre-IIW Meeting:
               Registrations are open at http://openid-wg-oct-2013.eventbrite.com/
               Nat will send the announcement to the Native Application WG list as well

Possible Pre-IETF 88 Meeting:
               Karen O'Donoghue is getting a room for OAuth interop and also Connect discussions
               John will follow up with her

Open Issues:
               #874 - Security Considerations about X-Frame Header
                              Nat to proposed text, possibly based on OAuth 2.0 security document
               #875 - Registration: Parameter for specifying the preferred JWS alg for JWT-based client auth?
                              This parameter would be parallel to the corresponding request object parameter
                                             That parameter is request_object_signing_alg
                              Justin will propose concrete text
               #872 - session 4.1. Opbs is unclear and conflict with "session management memo" on wiki
                              We aren't very clear on what the OP browser state is
                              We need to better define this, possibly by giving examples
                              Nat will consult with Breno about this
               #873 - session 4.1. Can we use opbs with http (not httponly)
                              The JavaScript loaded from OP needs access to the cookie
                                             So it appears that this can't be https-only
                                             But we can set the secure flag
                              George will describe this in a comment on the issue

Document Restructuring:
               Mike is in the midst of doing this in a systematic way
               He plans to first produce a draft that combines the content from Standard into the content of Messages
               He will then reorganize this combination
               This doc will be called OpenID Connect Core

JOSE Issues:
               People are encouraged to think about issue #50 and respond to the thread
                              [jose] For WG DISCUSSION: #50 - "cty" (content type) should hold a media type
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130919/94face15/attachment.html>


More information about the Openid-specs-ab mailing list