[Openid-specs-ab] Spec call notes 18-Nov-13

Mike Jones Michael.Jones at microsoft.com
Mon Nov 18 23:54:36 UTC 2013


Spec call notes 18-Nov-13

Mike Jones
Nat Sakimura
Edmund Jay
Brian Campbell
John Bradley
Zhanna Tsitkova (observer from MIT Kerberos Consortium)

Agenda:
                Open Issues
                E-mails to the list
                Editing Status

Open Issues:
                #902 - Registration - 5.4 Client Read Error Response
                                Clarification of the 401 vs. 403 wording would be helpful
                                Mike will ask Justin about this on the mailing list
                Nothing significant on other issues besides what's in the tracker

E-mails to the list:
                "jti" claim in client_secret_jwt and private_key_jwt JWTs
                                We will say that it's single use unless otherwise negotiated
                Processing sector_identifier_uri values
                                We will say that the sector_identifier_uri is validated once at registration time and never fetched again
                Guidance on what the different flows are for
                                Addressed by new Introduction in Core
                Authorization Request or Authentication Request?
                                This is issue #896, which has been addressed
                                Reviews solicited
                Registration read error example missing body?
                                This is now included in issue #902
                Nonce value suggestion for the Implicit Flow
                                Justin proposed new text for Web Server clients.  The gist is:
                                Web server clients may store the nonce on the server as part of the server side session information
                                The server already identifies the browser through the session cookie in this case
                Review Comments on Dyn Reg
                                Comment on jwks_uri - about native clients not being able to use asymmetric keys
                                Native clients can use symmetric keys in the say we described
                                We would have to push a JWKS at registration time
                                                But this doesn't enable key rotation
                                There isn't a proposed change at this time
                                Discussion should continue
                                Nat will file a bug with possible proposed text

Editing Status:
                Mike is almost done applying Nat's review comments to Core
                Justin Richer's Core review will then be applied
                We need to verify that the F2F results are incorporated
                The last step for Core will be to move the ID Token section up
                At that point we should have a Core release candidate
                Following that, the reviews to the other specs will be applied
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131118/d6036722/attachment.html>


More information about the Openid-specs-ab mailing list