[Openid-specs-ab] Spec call notes 9-Apr-12

Mike Jones Michael.Jones at microsoft.com
Tue Apr 10 00:27:00 UTC 2012 

Spec call notes 9-Apr-12

John Bradley
Mike Jones
Nat Sakimura
George Fletcher
Edmund Jay
Pamela Dingle

Agenda:
                Editing
                Reviewing New Text
                New Open Issues

Editing:
                All the tracked edits are in for the release
                Mike is finishing the consistency checks for the release

Reviewing New Text:
                John isn't certain that his example JavaScript in Basic is correct
                                Nat will review
                                Edmund believes some things are missing.  He will work with John.
                                John will change the name of the queryString variable in the example
                                Mike asked whether this example also belongs in Standard, since Basic is a profile
                                                Nat and John weren't convinced that it does
                Token Hash algorithm (at_hash)
                                Basic says SHA256 hash is used
                                The problem is that the Check ID endpoint hides the signature processing from the client
                                This isn't a problem with the code flow
                                We may want to revisit this decision in the context of other changes

New Open Issues:
                #567: Basic - Use grant type code instead of implicit grant
                                George and Pam appeared supportive of Torsten's proposal
                #568: Basic - Drop the need for signature validation in basic profile
                                Actually, drop need for signature validation in the code flow
                #569: Basic - Drop nonce from basic profile
                                Single use may be difficult for geo-distributed implementations
                                John adding comment to that effect
                                We are leaning towards not requiring nonce, but still allowing it in Messages
                #570: General - removal of checkid endpoint
                                Signature checking still needed for implicit flow - can be done by client
                                Nat points out that without Check ID endpoint, we lose the ability to use a symmetric signature
                                                John believes that this observation is a red herring
                                John points out that there are RSA libraries available for JavaScript
                #571: General - removal of symmetric signatures for id tokens
                                Or possibly make asymmetric the default?
                                Removing it entirely would let us remove large parts of the spec

                We will talk about all of these more in Germany and at the pre-IIW meeting at Yahoo!
                People should add their thoughts to the issues.  We will try to close them at the pre-IIW WG meeting.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120410/2572a81e/attachment.html>

More information about the Openid-specs-ab mailing list