[Openid-specs-ab] Spec call notes 12-Jan-12

Nat Sakimura sakimura at gmail.com
Fri Jan 13 00:49:40 UTC 2012


So I have updated /connect/ to mention the current status (impl. draft
review period.)

=nat

On Fri, Jan 13, 2012 at 9:18 AM, Mike Jones <Michael.Jones at microsoft.com> wrote:
> Spec call notes 12-Jan-12
>
>
>
> John Bradley
>
> Mike Jones
>
> Nat Sakimura
>
> Edmund Jay
>
>
>
> Agenda:
>
>                 Open Issues
>
>                 Token Linking Issue
>
>                 Encryption
>
>                 Events
>
>                 Updating the openid.net/connect page
>
>
>
> Open Issues:
>
>                 #506 - Assigned to John for review and change
>
>                 #507 - Invalid - John will add rationale in the comments
>
>                 #505 - John still needs to write proposed language
>
>
>
> Token Linking Issue:
>
>                 Breno sent a proposal that's close enough to complete to be
> actionable
>
>                                 Describes adding a hash of the Access Token
> to the ID Token
>
>                 John believes it only solves a problem for the implicit
> (token) flow
>
>                 We discussed that, if added, this functionality could be
> either RECOMMENDED or OPTIONAL
>
>                                 John believes that we may want to require
> this for the implicit flow
>
>                 John believes it should be the RP who decides if this is
> important
>
>                 This lets RPs detect Access Token tampering in the implicit
> flow
>
>                 In a sense, this is an audience restriction of the Access
> Token with the implicit flow
>
>                 Mike stated that we should evaluate this based upon specific
> language
>
>                 John will write up proposed language for review (after doing
> the edits for his other issues)
>
>
>
> Encryption:
>
>                 Breno wants encryption with integrity using CBC
>
>                 John believes we should reinstate the integrity proposal
> from JSMS for CBC
>
>                                 At least as an option
>
>                 NIST recommends wrapping the symmetric key to avoid using
> the same key repeatedly for many messages
>
>                 Do we use a KDF or use the same key for encryption and HMAC?
>
>                                 Mike pointed out that a different key may be
> necessary for elliptic curve
>
>                                 John pointed out that integrity and
> encryption key sizes may different anyway, requiring KDF
>
>                 If we want the smallest number of options, always use a KDF
> and always use a content master key
>
>                                 If using GCM, you'd only get one key from
> the KDF
>
>                 Question of encrypting to multiple recipients is also on the
> table
>
>                 John believes there are legitimate cases for multiple
> parties decrypting a security token
>
>                                 Including the RP and Check ID Endpoint for
> an ID Token
>
>                                 Including STS token transforms
>
>                                 Self-issued tokens may also require multiple
> recipients
>
>                 We need to develop a concrete proposal including syntax and
> which options to and not support
>
>                 If not before, we should try to develop a concrete proposal
> at RSA
>
>
>
> Events:
>
>                 John pinged Don about announcing and planning an interop
> event for RSA
>
>                                 Time is short to organize this
>
>                 Mike suggested we also send a note to the interop list now
> to get people thinking about it
>
>
>
> Interop:
>
>                 We should be testing Discovery and Registration
>
>                 We should be testing asymmetric signatures
>
>                 We should be testing using the request object
>
>                 We should be testing native client apps
>
>
>
> Spec Review Feedback Received:
>
>                 Breno plans to review the present specs during the present
> review period
>
>                 Mike gave the WG a heads-up that Yaron sent several pages of
> feedback
>
>                 In particular, Yaron believes that Issuers must be able to
> include a path
>
>                                 Mike will come back to discuss this once he
> has a specific proposal
>
>
>
> Events:
>
>                 John spoke with Don about an interop event at RSA
>
>                                 Don will communicate to the board that we
> want to do that
>
>                                 We need to find a sponsor that can provide
> space
>
>                 John also gave the other list of proposed events to Don
>
>
>
> Updating the openid.net/connect page:
>
>                 It doesn't currently mention the implementer's draft review
>
>                 There are other ways it is probably out of date
>
>                 Nat will look at it
>
>                 Pam should be updating the diagram to add the OAuth JWT
> Profile and the Multiple Response Types
>
>
>
> Misc:
>
>                 John pointed out that we should track the "Why aren't we
> using WebFinger?" issue
>
>                                 We should have a concise response document
>
>                                 We will do that as other work and priorities
> allow
>
>                 BrowserID issue
>
>                                 Don and Tony are discussing this in person
> today
>
>                                 Hopefully this will empower Don to write a
> response and speak publicly
>
>                                 Nat may repeat some of his previous comments
> from July for current consumption
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>



-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en


More information about the Openid-specs-ab mailing list