[Openid-specs-ab] Spec call notes 18-Jul-11

Mike Jones Michael.Jones at microsoft.com
Mon Jul 18 23:05:00 UTC 2011 

Spec call notes 18-Jul-11

Nat Sakimura
Mike Jones
John Bradley
Edmund Jay

Agenda:
                Encryption spec
                Anonymous client flow using asymmetric signatures
                Implementation update
                Feedback update
                Structure for reorganizing the specs

Encryption
                Mike implementing in .NET
                Maybe get Breno to do Java version
                Edmund updating PHP library
                                Could maybe do encryption
                Not doing integrity check if function doesn't support it
                Using key wrap function from XMLDSIG, rather than from JSMS
                An interesting question whether AES-GCM implemented in PHP
                                Can call out to openssl, but sometimes fraught with peril
                Left OAEP out of list in 7.1
                May need to change OAEP definition. Uses 2 hash functions:
                                1.  One has to do with key size of thing you're encrypting - should be as big as RSA key size
                                                Should be SHA-256,384,512 family
                                2.  Has to do with how intermediate internal values in padding are calculated
                                John will send reference and recommendations
                Mike asked John to sanity check the current JCA values
                John and Nat to provide encryption spec feedback within 24 hours

Anonymous client flow using asymmetric signatures
                What Mozilla BrowserID is doing
                Not OAuth, so no client or RP identification in BrowserID
                Could have anonymous clients with unregistered clients using token flow
                                Send to the introspection endpoint
                                Get something useful without client registration
                                Can get userid and access token to use at UserInfo endpoint
                John will write up an informal proposal for the list
                                Almost indistinguishable flow from BrowserID except for IdP Discovery part
                                                Can be done in JavaScript
                                                No discovery needed for BrowserID since uses a central service run by Mozilla
                                They eventually plan to remove need for service by building client into the browser

Implementation update
                Google announced theirs (in incomplete state)
                Ryo Ito did test RP - specific to Google endpoint

Feedback update
                Chuck Mortimore sent feedback today - need to review
                On July 13, Andrew Arnott had comments to AB list
                                Nat responded on the list

Structure for reorganizing the specs
                John and Nat will talk in person in Colorado
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110718/34290ada/attachment.html>

More information about the Openid-specs-ab mailing list