[Openid-specs-ab] "azp" issues

Salvatore D'Agostino sal at idmachines.com
Tue Apr 2 13:41:16 UTC 2013


Thanks for the call notes.  Quick question.

JWTs should be able to combine 1) and 2) if useful and work safely?

Sal
-----Original Message-----
From: Nat Sakimura [mailto:sakimura at gmail.com] 
Sent: Monday, April 01, 2013 8:53 PM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] Spec call notes 1-Apr-13

Spec call notes 21-Mar-13
===========================

Date: 2013-04-01 23:00-24:00 UTC
Place: https://www3.gotomeeting.com/join/695548174

Attendee
----------------
John Bradley
Edmund Jay
Mike Jones
Nat Sakimura


Agenda:
----------------
- "azp" issues
- JOSE progress

"azp" issues:
---------------------
In the call, we have identified that "azp" may actually has two semantics in
one. 1) To whom it was issued, 2) Who is authorized to use it. In a bearer
access token case, 1) is the best it can be hoped for. For refresh token and
MAC or holder-of-key token, and JWT assertion case, 2) makes sense. Google's
case seem to be the case where 1) and 2) happens to be the same. From the
claim expression point of view, it probably is not ideal to conflate them,
but express them separately.



But don't preclude combining them in a token?




The people called in had consensus on dropping the sentence about "used as
access token" however.

For other points, the discussion was tabled for this call waiting for
concrete text proposal.

JOSE progress:
------------------------------------------
At the end of the call, we have discussed the current state of JOSE and how
the progress is being made towards the interim F2F.

Mike is editing the specs to put the decision from the list into the specs.
John is going to write some text wrt security.



--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6085 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130402/b4374746/attachment.bin>


More information about the Openid-specs-ab mailing list