[Openid-specs-ab] Spec call notes 26-Sep-13

Mike Jones Michael.Jones at microsoft.com
Fri Sep 27 01:39:45 UTC 2013


Spec call notes 26-Sep-13

Mike Jones
John Bradley
Justin Richer
Roland Hedberg
George Fletcher
Edmund Jay
Nat Sakimura

Agenda:
               Pre-IIW Meeting
               Pre-IETF 88 Meeting
               Open Issues
               Interop
               Implementation of JavaScript apps
               Document Restructuring

Pre-IIW Meeting:
               Registrations are open at http://openid-wg-oct-2013.eventbrite.com/
               We currently have 19registrations
               The agenda includes Account Chooser, OpenID Connect, and Native Applications

Pre-IETF 88 Meeting:
               Karen O'Donoghue has a room for OAuth interop the Sunday before IETF 88
               John is still working on determining when our time block will be
               The MIT OAuth interop was cancelled
                              Interop planning discussions will be happening
               John doesn't think that there will be registration
               Mike mentioned the OAuth survey that he took, which identified several profiles other than UMA and OpenID Connect

Open Issues:
               Two new issues:
               #875 - Registration: Parameter for specifying the preferred JWS alg for JWT-based client auth?
                              Justin supplied language
                              We agreed to do this
                              John will add language about the semantics when this parameter is not used
               #876 - Google "iss" value missing https://
                              We discussed two alternatives:
                                             Warning people that Google is non-compliant, but not changing the spec
                                             Allowing the https:// to be omitted, which slightly complicates clients
                              We agreed that more discussion on this topic is needed
               There are now 16 open issues in the tracker
               #864 - Native Client code leakage
                              John and Breno talked about this
                              Breno wants to just make the proof of possession secret a string
                                             He doesn't like the hash or HMAC way of doing it
                              Breno suggested another call to the token endpoint
                                             That would avoid either side having to do crypto
                              Nat will make some revisions to his proposal
               #863 - Stateless dynamic registration
                              John and Breno talked about this
                              Breno understands how he could do stateless dynamic registration
                                             He will think about it for a few days and get back to John
               Breno also said that their session management implementation may have differences
                              It's all wrapped up in the Google Identity Toolkit
                              Breno will investigate
               #872 - Opbs is unclear
                              Nat still needs to follow up with Breno for a clarification

Interop:
               We still don't know of any Session Management interop that's occurred
               John suggested that we might want to have Google add AAD support to GITKIT
                              Including session management
               Edmund expects to have his session management code ready for testing today
               Roland may be able to look at it in the next few days
               Roland has been working on updating his RP code
                              In a way that would allow JavaScript login pages to be used

Implementation of JavaScript apps:
               Mike asked how people are doing signature validation in JavaScript only RPs
               John said that the client has a direct https connection to the Authorization Endpoint
                              If you trust the https, then you're probably OK without checking the signature
                              Justin said that if you pass the token on to another party, you'd still need to check the signature
               Mike said that apparently Facebook and Google have introspection endpoints for this case
                              John commented that they may not actually be adding much value

Document Restructuring:
               Mike finished the request and request_uri merger from Messages and Standard
                              The result is released as http://openid.net/specs/openid-connect-core-1_0-12.html
               The next step is reordering the content along the lines of Nat's draft
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130927/eecdc2c5/attachment.html>


More information about the Openid-specs-ab mailing list