<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Spec call notes 29-Aug-11<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Edmund Jay<o:p></o:p></p>
<p class="MsoNormal">Nat Sakimura<o:p></o:p></p>
<p class="MsoNormal">George Fletcher<o:p></o:p></p>
<p class="MsoNormal">John Bradley<o:p></o:p></p>
<p class="MsoNormal">Pamela Dingle<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Agenda:<o:p></o:p></p>
<p class="MsoNormal"> Preparing for summit in two weeks<o:p></o:p></p>
<p class="MsoNormal"> Steps to achieve an implementers draft<o:p></o:p></p>
<p class="MsoNormal"> id_token issue on mailing list<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Preparing for summit in two weeks:<o:p></o:p></p>
<p class="MsoNormal"> Need blog post with pointer to stable specs<o:p></o:p></p>
<p class="MsoNormal"> Close remaining open spec issues:<o:p></o:p></p>
<p class="MsoNormal"> Public key based verification rules<o:p></o:p></p>
<p class="MsoNormal"> Issuer, audience, etc. missing<o:p></o:p></p>
<p class="MsoNormal"> John will write text in next few days<o:p></o:p></p>
<p class="MsoNormal"> Inclusion of left or right hash of access token in ID token<o:p></o:p></p>
<p class="MsoNormal"> Because no collision attack, can use half the hash<o:p></o:p></p>
<p class="MsoNormal"> Google worried about cut-and-paste attack, substituting one access token for another without the RP noticing<o:p></o:p></p>
<p class="MsoNormal"> Did we pick the right flow for Lite?<o:p></o:p></p>
<p class="MsoNormal"> Ought to not be used for non-SSL RPs<o:p></o:p></p>
<p class="MsoNormal"> They must use code flow<o:p></o:p></p>
<p class="MsoNormal"> Can be discussed in security considerations<o:p></o:p></p>
<p class="MsoNormal"> Secret type for authenticating to token endpoint<o:p></o:p></p>
<p class="MsoNormal"> Scope and claims related to the scope<o:p></o:p></p>
<p class="MsoNormal"> Remaining edits needed for specs<o:p></o:p></p>
<p class="MsoNormal"> Edmund wondered whether session management spec needs to be updated<o:p></o:p></p>
<p class="MsoNormal"> Need a close read of the messages spec<o:p></o:p></p>
<p class="MsoNormal"> Nat has read the standard spec closely<o:p></o:p></p>
<p class="MsoNormal"> Rename Lite to Basic Client<o:p></o:p></p>
<p class="MsoNormal"> Edmund has pending edits to the specs<o:p></o:p></p>
<p class="MsoNormal"> Pass id_token to the check_session endpoint as a parameter<o:p></o:p></p>
<p class="MsoNormal"> Introspection endpoint was renamed to check_session endpoint<o:p></o:p></p>
<p class="MsoNormal"> Interop status<o:p></o:p></p>
<p class="MsoNormal"> Edmund has a basic client and a basic server<o:p></o:p></p>
<p class="MsoNormal"> NRI Tokyo team is building standard server and standard client<o:p></o:p></p>
<p class="MsoNormal"> Without aggregated and distributed claims<o:p></o:p></p>
<p class="MsoNormal"> Sending a representative to the summit: Tatsuya Katsuhara<o:p></o:p></p>
<p class="MsoNormal"> Google has some kind of a server and some kind of client<o:p></o:p></p>
<p class="MsoNormal"> Need to follow up with them on what will be ready<o:p></o:p></p>
<p class="MsoNormal"> rack-oauth person will participate remotely: Nov Matake<o:p></o:p></p>
<p class="MsoNormal"> Ruby implementation<o:p></o:p></p>
<p class="MsoNormal"> Ping plans to bring an Authorization Server implementation<o:p></o:p></p>
<p class="MsoNormal"> We don't know about Salesforce or Newcastle<o:p></o:p></p>
<p class="MsoNormal"> Roland from FedLab is coming but likely will not have code to show<o:p></o:p></p>
<p class="MsoNormal"> John trying to get a Drupal 6 implementation, but may not be done in time<o:p></o:p></p>
<p class="MsoNormal"> Andrew Arnott is not doing an implementation at present<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> We need to begin ad-hoc interop work before the summit<o:p></o:p></p>
<p class="MsoNormal"> First, just see if implementations can communicate at all<o:p></o:p></p>
<p class="MsoNormal"> Test whether claims be communicated from UserInfo endpoint<o:p></o:p></p>
<p class="MsoNormal"> At this interop, expect pre-configuration to be the norm, rather than discovery<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> We need to create a mailing list for the interop participants<o:p></o:p></p>
<p class="MsoNormal"> Pam will do tonight<o:p></o:p></p>
<p class="MsoNormal"> Called OpenID Connect Interop - openid-connect-interop@googlegroups.com<o:p></o:p></p>
<p class="MsoNormal"> http://groups.google.com/group/openid-connect-interop?hl=en<o:p></o:p></p>
<p class="MsoNormal"> People should e-mail members for the list to Pam at pdingle@pingidentity.com<o:p></o:p></p>
<p class="MsoNormal"> Edmund and John and Nat and Breno and Johnny should be on it<o:p></o:p></p>
<p class="MsoNormal"> Mike and John will also be list administrators<o:p></o:p></p>
<p class="MsoNormal"> Andreas and Roland Hedberg also<o:p></o:p></p>
<p class="MsoNormal"> Chuck too<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Edit plan:<o:p></o:p></p>
<p class="MsoNormal"> Mike to rename Lite to Basic client and check in<o:p></o:p></p>
<p class="MsoNormal"> Everything in Lite should be in other specs<o:p></o:p></p>
<p class="MsoNormal"> Then John will then apply other edits<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Spec Issues:<o:p></o:p></p>
<p class="MsoNormal"> Public key based verification rules<o:p></o:p></p>
<p class="MsoNormal"> John writing up a proposal<o:p></o:p></p>
<p class="MsoNormal"> Inclusion of left or right hash of access token in ID token<o:p></o:p></p>
<p class="MsoNormal"> Consensus to do that<o:p></o:p></p>
<p class="MsoNormal"> Breno owes us a concrete proposal<o:p></o:p></p>
<p class="MsoNormal"> John will follow up with Breno<o:p></o:p></p>
<p class="MsoNormal"> Did we pick the right flow for Lite?<o:p></o:p></p>
<p class="MsoNormal"> For now, leave it alone and deal with in Security Considerations<o:p></o:p></p>
<p class="MsoNormal"> Secret type for authenticating to token endpoint<o:p></o:p></p>
<p class="MsoNormal"> Need extra parameter in case you are using a JWT to authenticate<o:p></o:p></p>
<p class="MsoNormal"> Edmund will send text to John and Mike<o:p></o:p></p>
<p class="MsoNormal"> Scope and claims related to the scope<o:p></o:p></p>
<p class="MsoNormal"> Need consensus on what we should be doing in this regard<o:p></o:p></p>
<p class="MsoNormal"> Some want only one scope<o:p></o:p></p>
<p class="MsoNormal"> Some want multiple granular scopes<o:p></o:p></p>
<p class="MsoNormal"> Some feel that the duplication with the request is bad for interop<o:p></o:p></p>
<p class="MsoNormal"> Specs currently include: openid (id_token), profile (default user_info), address, email<o:p></o:p></p>
<p class="MsoNormal"> No consensus to change this before the summit<o:p></o:p></p>
<p class="MsoNormal"> Can be changed later if consensus to do so<o:p></o:p></p>
<p class="MsoNormal"> Whether and how to support id_token types other than JWT<o:p></o:p></p>
<p class="MsoNormal"> Currently must be a JWT in Standard spec<o:p></o:p></p>
<p class="MsoNormal"> Not a consensus to do anything relative to this before the summit<o:p></o:p></p>
<p class="MsoNormal"> Whether to use longer field identifiers in JWTs<o:p></o:p></p>
<p class="MsoNormal"> Not a consensus to make any identifier changes at present<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Steps to achieve an implementers draft:<o:p></o:p></p>
<p class="MsoNormal"> Should be a topic at the summit<o:p></o:p></p>
<p class="MsoNormal"> Use the summit to close remaining issues<o:p></o:p></p>
<p class="MsoNormal"> Then go to an implementers draft<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>