[Openid-specs-ab] Spec call notes 27-Jun-11
Mike Jones
Michael.Jones at microsoft.com
Tue Jun 28 15:02:21 UTC 2011
I had a naming thought this morning. It occurs to me that the spec we'd given the ungainly working name "OpenID Connect Extended Requests and Responses" might be better named "OpenID Connect Enhancements". It's a more workable name and still makes it clear that the functionality is distinct from the Core.
What do people think?
-- Mike
From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Mike Jones
Sent: Monday, June 27, 2011 4:04 PM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] Spec call notes 27-Jun-11
Spec call notes 27-Jun-11
Mike Jones
Nat Sakimura
John Bradley
Edmund Jay
Breno de Medeiros
Agenda items:
Review steps remaining to declare specs developer-ready
Where are aggregated, distributed claims specified?
Change citations to reference specs on openid.net/specs and to reference current versions
Accounts on svn.openid.net and openid.net
Discovery and client registration status
UserInfo status
Bindings status
Breno's request to move claims functionality to a separate document
Discuss whether session management should be in core or separate document
Where are aggregated, distributed claims specified?
They are currently missing - need to be put back in
Document structuring
Breno proposes that we make the core as small as possible
We initially proposed to split the core into (smaller core), session management, and claims specs
Nat and Mike initially proposed that the OpenID request and response stay in the core
Because requests and responses will contain more than just claims
Breno proposes that everything optional be removed from the core
We agree for now to use the name "OpenID Connect Extended Requests and Responses" for the optional parts
It contains:
the request format
the response format
claims, including aggregated and distributed claims representations
signing and encryption
Also, make id_token format opaque, per agreement from Facebook meeting
Security Considerations
Should pertain only to the functionality in each doc
Core may just refers to extensive OAuth 2.0 security considerations section
Maybe talk about risks of userids in requests and responses
Maybe talk about replay attacks
Maybe talk about assertion disclosure
Editorial:
Change citations to reference specs on openid.net/specs and to reference current versions
Accounts on svn.openid.net and openid.net
Mike initiated creation of accounts for editors
Mike will update documents on open.net and svn.openid.net for now
Discovery and client registration status
John will finish draft in 1.5 days or so
UserInfo
Mike will finish update in 1 day or so
Bindings
Edmund sent out a doc combining the Code and AB and Implicit Grant bindings
Breno strongly objects to having a separate HTTP binding document
Edmund should be ready for the bindings document to be posted in a day or two
After we have checked in this round of revisions, Mike will take a stab at adding the HTTP binding to the core
John is working on a PPID specification for future consideration
All but Breno plan to be on the call 3 days hence (Thursday US/Chile, Friday Japan)
====
Action items:
Edmund will split the core into:
smaller core
session management
extended requests and responses docs
John will finish revising discovery and client registration docs
Mike will finish revising UserInfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110628/1fa9ffed/attachment.html>
More information about the Openid-specs-ab
mailing list