[Openid-specs-ab] Decisions we need to make to complete OpenID Connect

Nat Sakimura sakimura at gmail.com
Thu Oct 10 12:32:29 UTC 2013

I propose to set aside the session management. We do not have to go final all at once. We need to prioritize. 

See inline: 

Oct 10, 2013 0:15、Mike Jones <Michael.Jones at microsoft.com> wrote:

> In order to help us finish OpenID Connect in a timely manner, I wanted to put together a list of the decisions I believe we still need to make for the final specifications.  This list does not include issues in the issue tracker for which we already have decisions in place.
> ·         #876: Google "iss" value missing https:// - What do we say about the possibility of “iss” values without the leading https://?

Keep it as is. 

> ·         #863: Stateless Registration Discovery/Messages – How do we want stateless registration to occur?  (This also affects the outcome of #865: Registration needs update capability too).

New feature. Do it as an extent ion. 

> ·         #864: Native Client code leakage – What do we want to say about how to handle this issue with iOS and Android, and do we want to handle it now or in an extension spec?  If in an extension spec, do we want to at least describe the issue to implementers and say to look for a future specification about this?

Do it in OAuth. 

> ·         #875: Registration: Parameter for specifying the preferred JWS alg for JWT-based client auth? – Do we want to add this?

New feature. Do it as an extent ion. 
> ·         #879: Messages 6.1 - The OpenID Foundation may consider hosting a site https://self-issued.me/ - What are we going to say about this in the final specifications?

If we are to go as is, we should secure the domain. 

> ·         #880: Messages 6.2 - The OpenID Foundation may consider hosting the endpoint https://self-issued.me/registration/1.0/ – What are we going to say about this in the final specifications?


> ·         #881: Discovery 1 - Relationship to OAuth Dynamic Registration – What are we going to say about this in the final specifications?

If we cannot finalize this today, I would go further to propose that we go final without it. 

> ·         #883: Order of the description about iframe – How will we resolve this issue?

Session management should go final separately. 

> ·         #884: Decide whether to keep Basic and Implicit in the final set of specifications – Will we keep the Basic Client and Implicit Client specifications?

Depends on whether we can finalize the restructured version in a few days. 

If not, need to keep them. 

> ·         #885: Decide whether Session Management is ready to be a final specification – Will we recommend approval of Session Management as a final specification now?


> If at all possible, please join tomorrow’s call in which we will discuss these decisions.
> Also, if I’ve missed any decisions we need to make, please reply-all adding them to our list.
>                                                                 Thanks all,
>                                                                 -- Mike
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131010/fa266b9d/attachment.html>

More information about the Openid-specs-ab mailing list