<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#002060;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#002060">Some of you have seen my remark below but the thread seems to have forked, so some of you have not…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#002060"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#002060">I added one thing to William Denniss in person after we left the meeting. I want to stay completely clear of situations in which multiple kinds of messages
are sent to the same endpoint and then dispatched to do different things based on the message type. That is the pattern that led people to abandon SOAP/WS-* for REST. I don’t want to be part of recreating it.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#002060"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#002060">For instance, I only want logout message to be sent to the OpenID Connect logout endpoint. It’s appropriate for the endpoint to
<b>*validate*</b> that the message conforms to the specified logout message syntax and otherwise reject the message. But the only action taken for messages of other types should be to drop them – not dispatch them.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#002060"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#002060"> -- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#002060"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Openid-specs-risc [mailto:openid-specs-risc-bounces@lists.openid.net]
<b>On Behalf Of </b>Adam Dawes<br>
<b>Sent:</b> Monday, November 02, 2015 11:12 PM<br>
<b>To:</b> openid-specs-risc@lists.openid.net<br>
<b>Subject:</b> [Openid-specs-risc] Fwd: Unifying Event Messaging for RISC, SCIM, OIDC Logout, OAuth Token Revocation etc<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Here's a summary of a meeting from IETF to talk about Identity events which will work across standards including RISC. I did not attend the meeting but the group is looking to create a mailing list for further discussion and I'll post details
on that when that is all set up.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">AD<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">---------- Forwarded message ----------<br>
From: <b>Phil Hunt</b> <<a href="mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a>><br>
Date: Sun, Nov 1, 2015 at 10:43 PM<br>
Subject: Re: Unifying Event Messaging for RISC, SCIM, OIDC Logout, OAuth Token Revocation etc<br>
To: Barry Leiba <<a href="mailto:barryleiba@computer.org">barryleiba@computer.org</a>><br>
Cc: John Bradley <<a href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>>, William Denniss <<a href="mailto:wdenniss@google.com">wdenniss@google.com</a>>, Tony Nadalin <<a href="mailto:tonynad@microsoft.com">tonynad@microsoft.com</a>>, Morteza Ansari <<a href="mailto:morteza@sharppics.com">morteza@sharppics.com</a>>,
Adam Dawes <<a href="mailto:adawes@google.com">adawes@google.com</a>>, Justin Richer <<a href="mailto:jricher@mit.edu">jricher@mit.edu</a>>, Ian Glazer <<a href="mailto:iglazer@salesforce.com">iglazer@salesforce.com</a>>, Kelly Grizzle <<a href="mailto:kelly.grizzle@sailpoint.com">kelly.grizzle@sailpoint.com</a>>,
Erik Wahlström neXus <<a href="mailto:erik.wahlstrom@nexusgroup.com">erik.wahlstrom@nexusgroup.com</a>>, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>><br>
<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal">Thanks for the meeting. Here is a quick summary. Please reply with any corrections. <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">Adding Barry to the thread (Barry see request at bottom).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Attendees: Phil Hunt, Mike Jones, Justin Richer, John Bradley, William Denniss<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Summary: there are a number of different initiatives that are all starting to generate events around identity. We got together to talk about whether we should be aligning our efforts. The areas that may be interested are:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">OIDC - Session Logout / Revocation<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">OAuth - Token Revocation<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">RISC - Account events (take over, account reset, etc)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">SCIM - Provisioning events (has overlap with RISC)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Consent - Tracking and delivery of consent events (e.g. in a distributed healthcare system).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">the group had agreement that there should be a core “event” JWT specification developed at the IETF. This becomes the basic information packet that can be delivered via HTTP and other protocols. Once the Event JWT is defined, each group
can create profiles appropriate to their constituency. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The general feeling was that all cases need a publish and subscribe model, but that different areas might have widely varying types of subscriptions. E.g.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">* 1:1 - a web app getting notifications about changes to a user’s profile or a de-provisioning notification<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">* 1:secured set of RPs - e.g. notifying RPs about session or token revocations<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">* 1:domain - inter-domain state change notifications<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">- broadcast - e.g. sending out a RISC event to interested subscriber domains.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">While I suggested the Pub/Sub/Hub model that SCIM Notify has (see the URL in a pervious msg), there was no immediate consensus that this was the right approach. We’ll have to keep talking. I also mentioned the WebPUSH work which has been
going. We think this work does not really apply since WebPUSH does not really handle one-to-many message delivery.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">We also talked that the message system should be self-healing. There might need to be a way for a subscriber to detect or confirm if it has missed any messages. E.g. clients could check message-id numbers etc. We would also like to ensure,
for scalability and security reasons, that messages are not kept for long periods of time.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:black"><img border="0" width="664" height="498" id="_x0000_i1025" src="cid:image002.jpg@01D11619.35B9AF50"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:black">One of the questions that John Bradley raised early in the discussion was how subscribers attach meaning to resource identifiers from an event publisher. This
definitely remains a question mark in some cases. I believe may SCIM have its own solution, but to be honest, we hadn’t really gone to far down the path. With that said, I think we concluded that each interest group would have to address this issue, but that
we could build some advice in the event spec.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:black">As an action item, the group agreed to approach Barry Leiba (cc’d) about starting a discussion list for events that could eventually lead to having the work
assigned to an existing WG or a new one being created. We discussed whether this fits in OAuth, SCIM, or JOSE. It seems like none of these is a good fit due to the generalized objective. Instead, we would expect WGs like SCIM and OAuth to profile the event
system for their own subject area.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:black">If folks are ok with it, I can cross-post this message on the SCIM and OAuth WG lists so we can open up the discussion. I could alternatively wait for the event
list and then let the other WG’s know about the list and the summary of this meeting.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:black">Thanks everyone for the meeting!<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:black">Phil<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:black">@independentid<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:black"><a href="http://www.independentid.com" target="_blank">www.independentid.com</a><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="font-family:"Helvetica","sans-serif";color:black"><a href="mailto:phil.hunt@oracle.com" target="_blank">phil.hunt@oracle.com</a><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On Nov 2, 2015, at 2:09 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Phil, Justin, and I are conference room 313. Are any of the rest of you coming?<br>
<br>
-- Mike<o:p></o:p></span></p>
</div>
</div>
<div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="3" width="100%" align="center">
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:
</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><a href="mailto:phil.hunt@oracle.com" target="_blank">Phil Hunt</a></span><br>
<b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Sent: </span>
</b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">11/2/2015 1:56 PM</span><br>
<b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">To: </span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><a href="mailto:ve7jtb@ve7jtb.com" target="_blank">John Bradley</a></span><br>
<b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Cc: </span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><a href="mailto:Michael.Jones@microsoft.com" target="_blank">Mike Jones</a>;
<a href="mailto:wdenniss@google.com" target="_blank">William Denniss</a>; <a href="mailto:tonynad@microsoft.com" target="_blank">
Anthony Nadalin</a>; <a href="mailto:morteza@sharppics.com" target="_blank">Morteza Ansari</a>;
<a href="mailto:adawes@google.com" target="_blank">Adam Dawes</a>; <a href="mailto:jricher@mit.edu" target="_blank">
Justin Richer</a></span><br>
<b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Subject: </span>
</b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Re: Unifying Event Messaging for RISC, SCIM, OIDC Logout, OAuth Token Revocation etc</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Me too! <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"">Phil<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"">@independentid<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif""><a href="http://www.independentid.com/" target="_blank">www.independentid.com</a><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="font-family:"Helvetica","sans-serif""><a href="mailto:phil.hunt@oracle.com" target="_blank">phil.hunt@oracle.com</a><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On Nov 2, 2015, at 1:45 PM, John Bradley <<a href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">I am free now I have room 313 we can use for the next hour or so.
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On Nov 2, 2015, at 1:40 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#002060">This means that we’ll miss the CRFG meeting at 3:20, but I’ll prioritize this over CFRG, if that’s what it takes.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#002060"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#002060">If people aren’t doing anything important now, I’d rather leave httpbis and have the discussion now than miss CRFG, given the new crypto algorithms are being
discussed there and I should probably attend.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#002060"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#002060">Would meeting during the current session work for people?</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#002060"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#002060"> -- Mike</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#002060"> </span><o:p></o:p></p>
</div>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Phil Hunt [<a href="mailto:phil.hunt@oracle.com" target="_blank"><span style="color:purple">mailto:phil.hunt@oracle.com</span></a>] <br>
<b>Sent:</b> Monday, November 02, 2015 11:12 AM<br>
<b>To:</b> William Denniss<br>
<b>Cc:</b> Anthony Nadalin; Morteza Ansari; John Bradley; Adam Dawes; Mike Jones<br>
<b>Subject:</b> Re: Unifying Event Messaging for RISC, SCIM, OIDC Logout, OAuth Token Revocation etc</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">Adding mike to the list. <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">So far 3 seems best. John has to leave at 3:45. We can always continue the conversation at dinner after tokbind. <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">I hear the concern about jwt confusiin. I think what I meant was events expressed in a jwt like form based on JOSE. Signing and encryption which are important for events. <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">I propose we meet in the registration area and can decide where to go from there. <br>
<br>
Phil<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
On Nov 2, 2015, at 10:55, William Denniss <<a href="mailto:wdenniss@google.com" target="_blank"><span style="color:purple">wdenniss@google.com</span></a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<div>
<p class="MsoNormal">I'm keen to talk about this at 3p today Phil.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">Have been doing some thinking in the RISC context (cc:Adam). We were thinking of using JWTs, but of course would need to make sure they were not also valid ID Tokens (which the logout spec achieves by not including the 'nonce' claim – but
makes me regret that there wasn't a "type" claim in the ID Token spec).<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">On Mon, Nov 2, 2015 at 9:31 AM, Phil Hunt <<a href="mailto:phil.hunt@oracle.com" target="_blank"><span style="color:purple">phil.hunt@oracle.com</span></a>> wrote:<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal">There seem to be a number of event proposals coming out (OAuth, OIDC RISC, OIDC Logout, and SCIM) that could be optimized if they all shared a common protocol for event delivery. While all of the proposals so far use JWTs, it seems like
we could make this happen faster if all of them worked from a common notification protocol. I note that all proposals are actually at an early stage — so generalizing won’t delay any single case. It may speed them up.<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">For those at IETF this week, maybe we can meet some time early in the week and discuss informally to kick things off?<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"">I have some time this week, and would be happy to put together a new straw-man proposal so we can take it back to the SCIM and OIDC communities.</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif""> </span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"">I have an open time slot between 3 and 5PM today (or tonight) for those that are interested. </span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"">ps. There is a crypto forum between 3 and 5 as well.</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif""> </span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"">Phil</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif""> </span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"">@independentid</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif""><a href="http://www.independentid.com/" target="_blank"><span style="color:purple">www.independentid.com</span></a></span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Helvetica","sans-serif""><a href="mailto:phil.hunt@oracle.com" target="_blank"><span style="color:purple">phil.hunt@oracle.com</span></a></span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <o:p></o:p></p>
<div>
<div>
<div style="margin-top:7.5pt">
<p class="MsoNormal" style="line-height:18.0pt"><span style="font-family:"Arial","sans-serif";color:#555555;border:solid #D50F25 1.5pt;padding:2.0pt">Adam Dawes |</span><span style="font-family:"Arial","sans-serif";color:#555555;border:solid #3369E8 1.5pt;padding:2.0pt"> Sr.
Product Manager |</span><span style="font-family:"Arial","sans-serif";color:#555555;border:solid #009939 1.5pt;padding:2.0pt"> <a href="mailto:adawes@google.com" target="_blank">adawes@google.com</a> |</span><span style="font-family:"Arial","sans-serif";color:#555555;border:solid #EEB211 1.5pt;padding:2.0pt"> +1
650-214-2410</span><span style="font-family:"Arial","sans-serif";color:#555555"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>