[Openid-specs-ab] Spec call notes 21-Apr-14
Mike Jones
Michael.Jones at microsoft.com
Mon Apr 21 23:43:47 UTC 2014
Spec call notes 21-Apr-14
Mike Jones
John Bradley
Edmund Jay
Agenda:
OpenID 2.0 Transition Spec
OAuth 2.0 Symmetric Proof of Possession Spec
Errata
Upcoming Events
Open Issues
Google question to the list: [Openid-specs-ab] nonce for code+id_token flow
Libraries Page
openid.net Web Site
OpenID 2.0 Transition Spec
Nat is studying proposals
He believes that the Google proposal has some issues
There appear to be three ways to do this:
1. One way is to publish the Issuer key in the OpenID 2.0 discovery (YADIS) document
2. Another way is to publish the Issuer Identifier in the OpenID 2.0 discovery (YADIS) document
3. Another way is to publish the OpenID 2.0 verified identifier
The downside of 1 is that it doesn't account for key rotation
2 seems to make the most sense. Nat will start a rough draft using this method.
OAuth 2.0 Symmetric Proof of Possession Spec
This is the document formerly known as "Transient Client Secret"
Nat and John's spec needs to be refreshed
John plans to refresh it
John also plans an asymmetric version
This may address some of Chuck Mortimore's use cases
Errata
The next step seems to be to write proposed text
Mike will try to have some text by the week of IIW
Ideally we could review the updated text at Yahoo! or at IIW
Upcoming Events
Pre-IIW event at Yahoo!, Monday, May 5
http://www.eventbrite.com/e/openid-foundation-workshop-tickets-1174511997
We need an updated "OpenID Connect Overview" talk
Mike will try to put this together
We likely have some working group sessions during IIW itself
We don't have much working time at Yahoo!
Native Applications will either be John or Paul
Mobile Profile may not have a GSMA representative
Torsten would be a good person to lead this
European Identity Conference, Tuesday, May 13
http://www.id-conf.com/events/eic2014/agenda
This will probably be more presentation-oriented than interactive
EIC is more of an enterprise and privacy audience - less technical than IIW
Nat can think about possible differences from the Yahoo! deck
We can also work on this during IIW
Open Issues
There were no new issues
Google question to the list: [Openid-specs-ab] nonce for code+id_token flow
We don't think that a nonce is technically necessary for the code flow
But not putting it in would cause interoperability problems
If included, it will be the same in both ID Tokens
John will reply to the list
Libraries Page
We added Ping Federate and Azure AD
Others can also supply product links to be listed
We added a tools section listing http://jwt.io/
openid.net Web Site
We probably want to merge these pages:
http://openid.net/foundation/community/
http://openid.net/foundation/community/get-involved/
We also want to revise this one and possibly make it easier to find:
http://openid.net/foundation/community/mailing-lists/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140421/6eaa05da/attachment.html>
More information about the Openid-specs-ab
mailing list