[Openid-specs-ab] Spec call notes 29-Aug-11
Mike Jones
Michael.Jones at microsoft.com
Mon Aug 29 23:29:45 UTC 2011
Spec call notes 29-Aug-11
Mike Jones
Edmund Jay
Nat Sakimura
George Fletcher
John Bradley
Pamela Dingle
Agenda:
Preparing for summit in two weeks
Steps to achieve an implementers draft
id_token issue on mailing list
Preparing for summit in two weeks:
Need blog post with pointer to stable specs
Close remaining open spec issues:
Public key based verification rules
Issuer, audience, etc. missing
John will write text in next few days
Inclusion of left or right hash of access token in ID token
Because no collision attack, can use half the hash
Google worried about cut-and-paste attack, substituting one access token for another without the RP noticing
Did we pick the right flow for Lite?
Ought to not be used for non-SSL RPs
They must use code flow
Can be discussed in security considerations
Secret type for authenticating to token endpoint
Scope and claims related to the scope
Remaining edits needed for specs
Edmund wondered whether session management spec needs to be updated
Need a close read of the messages spec
Nat has read the standard spec closely
Rename Lite to Basic Client
Edmund has pending edits to the specs
Pass id_token to the check_session endpoint as a parameter
Introspection endpoint was renamed to check_session endpoint
Interop status
Edmund has a basic client and a basic server
NRI Tokyo team is building standard server and standard client
Without aggregated and distributed claims
Sending a representative to the summit: Tatsuya Katsuhara
Google has some kind of a server and some kind of client
Need to follow up with them on what will be ready
rack-oauth person will participate remotely: Nov Matake
Ruby implementation
Ping plans to bring an Authorization Server implementation
We don't know about Salesforce or Newcastle
Roland from FedLab is coming but likely will not have code to show
John trying to get a Drupal 6 implementation, but may not be done in time
Andrew Arnott is not doing an implementation at present
We need to begin ad-hoc interop work before the summit
First, just see if implementations can communicate at all
Test whether claims be communicated from UserInfo endpoint
At this interop, expect pre-configuration to be the norm, rather than discovery
We need to create a mailing list for the interop participants
Pam will do tonight
Called OpenID Connect Interop - openid-connect-interop at googlegroups.com
http://groups.google.com/group/openid-connect-interop?hl=en
People should e-mail members for the list to Pam at pdingle at pingidentity.com
Edmund and John and Nat and Breno and Johnny should be on it
Mike and John will also be list administrators
Andreas and Roland Hedberg also
Chuck too
Edit plan:
Mike to rename Lite to Basic client and check in
Everything in Lite should be in other specs
Then John will then apply other edits
Open Spec Issues:
Public key based verification rules
John writing up a proposal
Inclusion of left or right hash of access token in ID token
Consensus to do that
Breno owes us a concrete proposal
John will follow up with Breno
Did we pick the right flow for Lite?
For now, leave it alone and deal with in Security Considerations
Secret type for authenticating to token endpoint
Need extra parameter in case you are using a JWT to authenticate
Edmund will send text to John and Mike
Scope and claims related to the scope
Need consensus on what we should be doing in this regard
Some want only one scope
Some want multiple granular scopes
Some feel that the duplication with the request is bad for interop
Specs currently include: openid (id_token), profile (default user_info), address, email
No consensus to change this before the summit
Can be changed later if consensus to do so
Whether and how to support id_token types other than JWT
Currently must be a JWT in Standard spec
Not a consensus to do anything relative to this before the summit
Whether to use longer field identifiers in JWTs
Not a consensus to make any identifier changes at present
Steps to achieve an implementers draft:
Should be a topic at the summit
Use the summit to close remaining issues
Then go to an implementers draft
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110829/c53e6323/attachment.html>
More information about the Openid-specs-ab
mailing list