[Openid-specs-ab] Spec call notes 20-Sep-12
Mike Jones
Michael.Jones at microsoft.com
Thu Sep 20 15:14:07 UTC 2012
Spec call notes 20-Sep-12
John Bradley
Mike Jones
Nat Sakimura
Edmund Jay
Brian Campbell
Pamela Dingle
Agenda:
OAuth SASL
Editing
Open Issues
Interop
IIW Events
IETF Events
OAuth SASL:
John reports that Google is moving their OAuth SASL support to OAuth 2.0, supporting IMAP, etc.
Called XOAuth 2
What Google is doing is different than the draft standard
Happening on the IETF kitten mailing list
There is not necessarily a one-to-one mapping between resource servers and mailboxes
We want mail clients, etc. to be able to use OpenID Connect, so hopefully this can stay aligned
Editing:
Edmund made edits for #640 and #649
John plans to try to close his open tickets before leaving for London on Sunday
Open Issues:
No new open issues
#636 JWT - intermediate audience claim
Mike added reference to his old on-behalf-of draft
http://self-issued.info/docs/on-behalf-of.html
#627 HTTP response code
About whether to follow redirects for the provider configuration
They would need to be over HTTPS
Consensus seems to be to not follow them, because anytime you could add a redirect you could add a file
Assigned to John
#622 Discovery 2.1.2 - domain-literal and CFWS
Nat may have resolved this as a side effect of other edits he made. He will verify.
John will file a work item to review specs to ensure that using the OAuth client_credentials grant_type isn't precluded
#614 Discovery - 3.2 Distinguishing between signature and integrity parameters for HMAC algorithms
Mike will make corresponding changes to the specs after the JOSE edits to combine the enc, int, and kdf parameters
#595 Discovery 2 - No means of discovery without web server for domain
Mike earlier raised the issue of possible certificate difficulties with dedicated hosts such as swd. or webfinger.
We will discuss this at the in-person WG meeting at Google
Mike will also send a note about this to Google and Salesforce
#604 All - Create a MTI section
Client and Server are different
Decisions:
Servers must understand the request object
Servers must understand signed request objects
It's optional for servers to understand encrypted request objects
It's optional for clients to understand aggregated and distributed claims
Open Issues to Specify:
Does server have to support UserInfo endpoint?
Does server have to be able to sign UserInfo endpoint response?
Does server have to understand acr?
(many others)
Mike suggested assigning this to someone to make a list for the in-person WG meeting
Nat will make a list of issues and a proposal for the October 2012 in-person WG meeting
(which he will not be able to attend)
#360 Registration 2.1 - What is application_type (native, web) used for?
George has proposed text
Brian pointed out we need to specify the expected behaviors when these parameters are used
Nat pointed out that we may need to differentiate web server and JavaScript client as well
Interop:
Roland and Andreas were not on the call, so we didn't get an update on the RP interop testing work
IIW Events:
John will send http://connect-wg-oct-2012.eventbrite.com/ to the openid-connect-interop list
IETF Events:
John will ping Lucy again about the room
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120920/f865acc4/attachment.html>
More information about the Openid-specs-ab
mailing list