[Openid-specs-ab] Spec call notes 20-Sep-12

Mike Jones Michael.Jones at microsoft.com
Thu Sep 20 15:14:07 UTC 2012


Spec call notes 20-Sep-12

John Bradley
Mike Jones
Nat Sakimura
Edmund Jay
Brian Campbell
Pamela Dingle

Agenda:
               OAuth SASL
               Editing
               Open Issues
               Interop
               IIW Events
               IETF Events

OAuth SASL:
               John reports that Google is moving their OAuth SASL support to OAuth 2.0, supporting IMAP, etc.
                              Called XOAuth 2
               What Google is doing is different than the draft standard
               Happening on the IETF kitten mailing list
               There is not necessarily a one-to-one mapping between resource servers and mailboxes
               We want mail clients, etc. to be able to use OpenID Connect, so hopefully this can stay aligned

Editing:
               Edmund made edits for #640 and #649
               John plans to try to close his open tickets before leaving for London on Sunday

Open Issues:
               No new open issues
               #636 JWT - intermediate audience claim
                              Mike added reference to his old on-behalf-of draft
                                             http://self-issued.info/docs/on-behalf-of.html
               #627 HTTP response code
                              About whether to follow redirects for the provider configuration
                              They would need to be over HTTPS
                              Consensus seems to be to not follow them, because anytime you could add a redirect you could add a file
                              Assigned to John
               #622 Discovery 2.1.2 - domain-literal and CFWS
                              Nat may have resolved this as a side effect of other edits he made.  He will verify.
               John will file a work item to review specs to ensure that using the OAuth client_credentials grant_type isn't precluded
               #614 Discovery - 3.2 Distinguishing between signature and integrity parameters for HMAC algorithms
                              Mike will make corresponding changes to the specs after the JOSE edits to combine the enc, int, and kdf parameters
               #595 Discovery 2 - No means of discovery without web server for domain
                              Mike earlier raised the issue of possible certificate difficulties with dedicated hosts such as swd. or webfinger.
                              We will discuss this at the in-person WG meeting at Google
                              Mike will also send a note about this to Google and Salesforce
               #604 All - Create a MTI section
                              Client and Server are different
                              Decisions:
                                             Servers must understand the request object
                                             Servers must understand signed request objects
                                             It's optional for servers to understand encrypted request objects
                                             It's optional for clients to understand aggregated and distributed claims
                              Open Issues to Specify:
                                             Does server have to support UserInfo endpoint?
                                             Does server have to be able to sign UserInfo endpoint response?
                                             Does server have to understand acr?
                                             (many others)
                              Mike suggested assigning this to someone to make a list for the in-person WG meeting
                                             Nat will make a list of issues and a proposal for the October 2012 in-person WG meeting
                                                            (which he will not be able to attend)
               #360 Registration 2.1 - What is application_type (native, web) used for?
                              George has proposed text
                              Brian pointed out we need to specify the expected behaviors when these parameters are used
                              Nat pointed out that we may need to differentiate web server and JavaScript client as well

Interop:
               Roland and Andreas were not on the call, so we didn't get an update on the RP interop testing work

IIW Events:
               John will send http://connect-wg-oct-2012.eventbrite.com/ to the openid-connect-interop list

IETF Events:
               John will ping Lucy again about the room
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120920/f865acc4/attachment.html>


More information about the Openid-specs-ab mailing list