[Openid-specs-ab] Spec call notes 28-Jun-12

Mike Jones Michael.Jones at microsoft.com
Thu Jun 28 15:34:39 UTC 2012 

Spec call notes 28-Jun-12

Nat Sakimura
Brian Campbell
John Bradley
Edmund Jay
Mike Jones
George Fletcher
Hannes Tschofenig
Justin Richer
Amanda Anganes

Agenda:
               Editing
               Open Issues
               JOSE Examples
               OAuth additional security considerations
               OC4 Interop
               WebFinger and acct: scheme

Editing:
               John expects to get the self-issued edits checked in today - issue #566
               Nat has checked in session management
               This will make us feature-complete for the OC4 interop

Open Issues:
               #605: Session Sec 2
                              Nat will apply this editorial change
               #604 All - Create a MTI section
                              We will dedicate next week's call to this issue
               #601 Standard - No way of doing IdP initiated login defined
                              People are encouraged to post ideas to the list or make comments on the bugs
               #600: Messages 2.1.1 and 2.3.2 - Register Connect Claims in JWT Claims Registry
                              Mike will do this after releasing updated JOSE specs
               #599 Messages, Implicit, Basic - Add example ID Token when claims_in_id_token used
                              We will still add an example of requesting claims in the ID Token in Messages
               #596: Registration - Security consideration on Logo needs to be written
                              Nat will try to write some text on this
               #597: Messages - Use ISO 8601:2004 date for UserInfo.birthday?
                              We agreed to do this, changing the claim name to "birthdate"
               #595 Discovery 2 - No means of discovery without web server for domain
                              We will not do this before the OC4 interop
               #588: Messages - 9.1. Refresh Token, and Access Token Lifetime is not a privacy consideration
                              Nat will do this after the self-issued release
               #582 Messages - 2.1.2.1 Overlay client request registration over the authentication request
                              We will look at this on the next call after the self-issued checkin
               #543 Messages - 8. Add Threats and controls
                              Nat will do this edit after the self-issued release
               #539 Messages - 0. Add scope for offline access
                              We should nail down a syntax for requesting this
                              We should recommend semantics but not require everyone to do it the same
                              We should also state how this relates to issuing a refresh token
                              George will write proposed text
               #538 Session - 0. Write the new sketch of the Session Management spec.
                              Now that Nat has checked in a spec, we can close this issue

JOSE Examples:
               Edmund and Emmanuel are getting the same GCM results, which are different than Mike's
                              Mike will use their values and debug his implementation later

OAuth additional security considerations:
               John discussed text about an attack against the client rather than the protected resource
                              Resource owner impersonation
                              Misuse of delegated authority

We ran out of time to discuss the OC4 Interop and the WebFinger and acct: scheme agenda items.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120628/57130e07/attachment.html>

More information about the Openid-specs-ab mailing list