[Openid-specs-ab] Spec call notes 22-Aug-13

[Mike Jones]

Spec call notes 22-Aug-13

John Bradley
Justin Richer
Mike Jones
George Fletcher
Edmund Jay

Nat Sakimura

Agenda:
               Open Issues
               Twitter access token leakage
               Document Restructuring
               JOSE Issues

Open Issues:
               #863 - Stateless Registration Discovery/Messages
                              John tried to contact Naveen about this.  No response so far.
               #864 - Native Client code leakage
                              This is a general OAuth thing, but may need to be addressed in Connect to achieve interoperability
                              John will try again to follow up with Naveen about whether they want to encode client state into the client_id
               #865 - Registration needs update capability too
                              Update is not possible for stateless servers (because it would change the client_id)
                              Update in OAuth registration is already optional

Twitter access token leakage:
               John described an OAuth 1.0a vulnerability that recently occurred for Twitter native clients
               Having redirect_uris in OAuth 2.0 fixes this
               This doesn't directly pertain to OpenID Connect

Document Restructuring:
               There's no update on this work, since Nat wasn't on the call
               If we're going to do this, it needs to happen sooner, rather than later

JOSE Issues:
               There are now 151 open JOSE issues
               People should participate in discussions of these on the JOSE mailing list to help move JOSE forward
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130822/f32327bf/attachment.html>