<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Then I'd argue, as I have in the past, for a data filtering approach
    on the query to the userinfo endpoint, like you'd get with SCIM. So
    you get approved for things like the "profile" but you end up asking
    for whatever individual bits you'd want out of it at runtime.<br>
    <br>
    As it stands, I'm not sure how or if our user approval page will
    handle the fine-grained request object claims, even though we'll
    enforce them in the userinfo endpoint.<br>
    <br>
     -- Justin<br>
    <br>
    <div class="moz-cite-prefix">On 01/30/2013 12:07 PM, Mike Jones
      wrote:<br>
    </div>
    <blockquote
cite="mid:4E1F6AAD24975D4BA5B1680429673943673E68A6@TK5EX14MBXC284.redmond.corp.microsoft.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <meta name="Generator" content="Microsoft Word 14 (filtered
        medium)">
      <style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Interesting. 
            The point of the Request Object is to give RPs control over
            the information they’re asking for and receiving.  For
            instance, if all my RP wants is your first name and the
            Request Object isn’t supported, it would have to use “openid
            profile” to get your first name, which also comes with
            middle name, last name, full name, nickname,
            preferred_username, profile URL, picture URL, website URL,
            gender, birthdate, time zone, locale, and time last
            updated.  That seems like overkill and doesn’t minimize
            disclosure of information to the RP.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">But
            I understand the simplicity/minimality argument for your
            position.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Let’s
            make this a discussion topic on tomorrow’s call.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">                                                           
            Thanks,<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">                                                           
            -- Mike<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
            <a class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab-bounces@lists.openid.net">openid-specs-ab-bounces@lists.openid.net</a>
            [<a class="moz-txt-link-freetext" href="mailto:openid-specs-ab-bounces@lists.openid.net">mailto:openid-specs-ab-bounces@lists.openid.net</a>]
            <b>On Behalf Of </b>Tim Bray<br>
            <b>Sent:</b> Wednesday, January 30, 2013 8:40 AM<br>
            <b>To:</b> <a class="moz-txt-link-rfc2396E" href="mailto:openid-specs-ab@lists.openid.net"><openid-specs-ab@lists.openid.net></a><br>
            <b>Subject:</b> [Openid-specs-ab] MTI section in Messages
            Draft 15<o:p></o:p></span></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <div>
          <div>
            <p class="MsoNormal" style="margin-bottom:12.0pt">I refer to
              the material in <a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-messages-1_0.html#ImplementationConsiderations">http://openid.net/specs/openid-connect-messages-1_0.html#ImplementationConsiderations</a><br>
              <br>
              We’ve been discussing this at some length and probably
              would not ship a OP conforming to this draft, because our
              plans do not include support for OpenID Request Objects. 
              It seems perfectly possible to implement an Internet-scale
              federated-login system with good interoperability,
              security, user-experience, and developer-experience
              properties, entirely without the use of Request Objects. 
              <br>
              <br>
              Given this, why are they considered essential for the MTI
              section?  Absent Request Objects, our chances of shipping
              a conforming OP are pretty good.<o:p></o:p></p>
          </div>
          <p class="MsoNormal">  -Tim<o:p></o:p></p>
          <div>
            <p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>