[Openid-specs-ab] Spec call notes 12-Jan-12

Mike Jones Michael.Jones at microsoft.com
Fri Jan 13 00:18:25 UTC 2012

Spec call notes 12-Jan-12

John Bradley
Mike Jones
Nat Sakimura
Edmund Jay

                Open Issues
                Token Linking Issue
                Updating the openid.net/connect page

Open Issues:
                #506 - Assigned to John for review and change
                #507 - Invalid - John will add rationale in the comments
                #505 - John still needs to write proposed language

Token Linking Issue:
                Breno sent a proposal that's close enough to complete to be actionable
                                Describes adding a hash of the Access Token to the ID Token
                John believes it only solves a problem for the implicit (token) flow
                We discussed that, if added, this functionality could be either RECOMMENDED or OPTIONAL
                                John believes that we may want to require this for the implicit flow
                John believes it should be the RP who decides if this is important
                This lets RPs detect Access Token tampering in the implicit flow
                In a sense, this is an audience restriction of the Access Token with the implicit flow
                Mike stated that we should evaluate this based upon specific language
                John will write up proposed language for review (after doing the edits for his other issues)

                Breno wants encryption with integrity using CBC
                John believes we should reinstate the integrity proposal from JSMS for CBC
                                At least as an option
                NIST recommends wrapping the symmetric key to avoid using the same key repeatedly for many messages
                Do we use a KDF or use the same key for encryption and HMAC?
                                Mike pointed out that a different key may be necessary for elliptic curve
                                John pointed out that integrity and encryption key sizes may different anyway, requiring KDF
                If we want the smallest number of options, always use a KDF and always use a content master key
                                If using GCM, you'd only get one key from the KDF
                Question of encrypting to multiple recipients is also on the table
                John believes there are legitimate cases for multiple parties decrypting a security token
                                Including the RP and Check ID Endpoint for an ID Token
                                Including STS token transforms
                                Self-issued tokens may also require multiple recipients
                We need to develop a concrete proposal including syntax and which options to and not support
                If not before, we should try to develop a concrete proposal at RSA

                John pinged Don about announcing and planning an interop event for RSA
                                Time is short to organize this
                Mike suggested we also send a note to the interop list now to get people thinking about it

                We should be testing Discovery and Registration
                We should be testing asymmetric signatures
                We should be testing using the request object
                We should be testing native client apps

Spec Review Feedback Received:
                Breno plans to review the present specs during the present review period
                Mike gave the WG a heads-up that Yaron sent several pages of feedback
                In particular, Yaron believes that Issuers must be able to include a path
                                Mike will come back to discuss this once he has a specific proposal

                John spoke with Don about an interop event at RSA
                                Don will communicate to the board that we want to do that
                                We need to find a sponsor that can provide space
                John also gave the other list of proposed events to Don

Updating the openid.net/connect page:
                It doesn't currently mention the implementer's draft review
                There are other ways it is probably out of date
                Nat will look at it
                Pam should be updating the diagram to add the OAuth JWT Profile and the Multiple Response Types

                John pointed out that we should track the "Why aren't we using WebFinger?" issue
                                We should have a concise response document
                                We will do that as other work and priorities allow
                BrowserID issue
                                Don and Tony are discussing this in person today
                                Hopefully this will empower Don to write a response and speak publicly
                                Nat may repeat some of his previous comments from July for current consumption
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120113/f3b446b7/attachment.html>

More information about the Openid-specs-ab mailing list