[Openid-specs-ab] Spec call notes 17-May-12

Fri May 18 00:25:37 UTC 2012

Spec call notes 17-May-12

Mike Jones
Edmund Jay
John Bradley
Pamela Dingle
Nat Sakimura (joined near the end of the call)

Agenda:
                Open Issues
                Mailing list items
                Editing
                JWE KDF Parameters
                Interop
                Discovery

Open Issues:
                #584 Messages - Username claim
                                An alternative would be a local_user_handle claim that the IdP could optionally release
                                We decided to defer a decision on this one pending more discussion
                #587 Registration - 2.1 Should mention about OAuth Bearer Authz Scheme
                                John pointed out that Bearer access only applies to the client_associate type
                                He is adding that to the ticket
                                There's a separate issue about whether we want to be able to use JWT assertions to update associations
                                                (rather than the client_secret)
                                We're leaving this one open until Nat can also participate in the discussion

Mailing list items:
                Amanda Anganes' note "redirect_uri matching clarification"
                                John replied with additional rationale about registered redirect_uri values
                Chuck Mortimore's note about whether to require redirect_uri registration
                                We either need required nonce verification or required redirect_uri registration
                                Given we no longer have the first, we need the second
                                John already replied to that effect

Editing:
                Nat checked in his changes, including being able to return claims in the ID Token
                                Edmund updated the related examples
                John checked in changes to remove the Check ID endpoint
                                The corresponding changes to Basic will happen next
                Mike should be able to do his edits today or tomorrow

JWE KDF Parameters:
                Edmund said that XML ENC uses no datalen values
                                If that's the case, we can safely not use them too
                John believes we need non-constant PartyUInfo and PartyVInfo values when doing key agreement
                                XML ENC Key Agreement just says that the values need to be used (but are provided as parameters)
                                John wonders if we should do the same
                                PartyUInfo includes an identifier and a nonce

Interop:
                We have interoperable issuers with paths
                We have interoperable token hash implementations now
                Mike needs to include new test descriptions that Roland sent him on the OSIS interop wiki

Discovery:
                WebFinger/SWD:  We should push for servers to accept e-mail addresses without schemes
                                Particularly since acct: may or may not get approved
                                Mike may ask the chair whether to have a consensus call about separating acct:
                Open Issue:  What do we do when there is no HTTP server for a domain?
                                Applies to most of the hosted situations
                                Using DNS in some manner is likely the right solution
                                                Such as reusing the MX record, which while "unclean", would work
                                                Alternatives are SRV or TXT records
                                John will file an issue about this
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120518/7f4061eb/attachment.html>