[Openid-specs-ab] Spec call notes 4-Feb-13

[Mike Jones]

Spec call notes 4-Feb-13

Mike Jones
Edmund Jay
Brian Campbell
Pamela Dingle
John Bradley
Tim Bray
Nat Sakimura
Naveen Agarwal
Breno de Medeiros

Agenda:
               New Open Issues
               MTI for OpenID Request Object
               JOSE poll about whether headers must be understood

New Open Issues:
               We went through most of the new open issues before starting the MTI discussion with Breno and Naveen
               See the issues themselves for resolutions
               We closed many of the registration issues
               We left open whether to switch registration to a JSON request format, pending further discussion
                              We'll probably discuss this on Thursday's call

MTI for OpenID Request Object:
               Enables, signed requests, requests for individual claims
               Breno suggested that another possible processing rule is to ignore everything outside the request object
               Breno suggested that claims requests might be separated from the request object
               Breno suggested that max_age could be a parameter, as should other commonly used request parameters
               Breno wants the request object to essentially be a JSON serialization of the request parameters
               Breno asserted that the claims request need not be signed
               Breno said that signing the request object provides security to the OP
                              whereas he said that the claims reflect security/privacy policies of the RP
               Breno wants to hear form others such as Salesforce about whether signed requests should be part of the MTI
               We agreed to make max_age and preferred_locales top-level parameters
               We agreed that it would be valuable to make the ability to request things independent of whether the request is signed
               Mike asked whether he should create a distinct "claims" parameter separate from the "request" parameter
                              A discussion ensued about what encodings should be used for the claims
                                             Breno suggested %-encoding the JSON rather than base64url encoding it
                                             Base64url encoding is only needed for signature validation
                                             He said that %-encoding is fine for the claims request
                                             Whereas it would just be JSON in the request object
                                             We would use UTF-8 %-encoding for the JSON
                              This would likely help us make progress on MTI consensus
                              It makes things more orthogonal, so each request parameter can be considered (mostly) independently
                              We agreed that doing these changes would help us better understand the choices and move towards consensus

JOSE poll about whether headers must be understood
               Karen O'Donoghue sent the message "[jose] POLL(s): header criticality" this morning
                              This will help close an issue that needs to be closed before working group last call
               Outcome B (and possibly C) to the third question would break every JWT and JOSE structure
                              John and Mike will compose a note to the connect working group about this
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130205/443ac770/attachment.html>