<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Spec call notes 9-Apr-12<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">John Bradley<o:p></o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Nat Sakimura<o:p></o:p></p>
<p class="MsoNormal">George Fletcher<o:p></o:p></p>
<p class="MsoNormal">Edmund Jay<o:p></o:p></p>
<p class="MsoNormal">Pamela Dingle<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Agenda:<o:p></o:p></p>
<p class="MsoNormal"> Editing<o:p></o:p></p>
<p class="MsoNormal"> Reviewing New Text<o:p></o:p></p>
<p class="MsoNormal"> New Open Issues<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Editing:<o:p></o:p></p>
<p class="MsoNormal"> All the tracked edits are in for the release<o:p></o:p></p>
<p class="MsoNormal"> Mike is finishing the consistency checks for the release<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Reviewing New Text:<o:p></o:p></p>
<p class="MsoNormal"> John isn't certain that his example JavaScript in Basic is correct<o:p></o:p></p>
<p class="MsoNormal"> Nat will review<o:p></o:p></p>
<p class="MsoNormal"> Edmund believes some things are missing. He will work with John.<o:p></o:p></p>
<p class="MsoNormal"> John will change the name of the queryString variable in the example<o:p></o:p></p>
<p class="MsoNormal"> Mike asked whether this example also belongs in Standard, since Basic is a profile<o:p></o:p></p>
<p class="MsoNormal"> Nat and John weren't convinced that it does<o:p></o:p></p>
<p class="MsoNormal"> Token Hash algorithm (at_hash)<o:p></o:p></p>
<p class="MsoNormal"> Basic says SHA256 hash is used<o:p></o:p></p>
<p class="MsoNormal"> The problem is that the Check ID endpoint hides the signature processing from the client<o:p></o:p></p>
<p class="MsoNormal"> This isn't a problem with the code flow<o:p></o:p></p>
<p class="MsoNormal"> We may want to revisit this decision in the context of other changes<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">New Open Issues:<o:p></o:p></p>
<p class="MsoNormal"> #567: Basic - Use grant type code instead of implicit grant<o:p></o:p></p>
<p class="MsoNormal"> George and Pam appeared supportive of Torsten's proposal<o:p></o:p></p>
<p class="MsoNormal"> #568: Basic - Drop the need for signature validation in basic profile<o:p></o:p></p>
<p class="MsoNormal"> Actually, drop need for signature validation in the code flow<o:p></o:p></p>
<p class="MsoNormal"> #569: Basic - Drop nonce from basic profile<o:p></o:p></p>
<p class="MsoNormal"> Single use may be difficult for geo-distributed implementations<o:p></o:p></p>
<p class="MsoNormal"> John adding comment to that effect<o:p></o:p></p>
<p class="MsoNormal"> We are leaning towards not requiring nonce, but still allowing it in Messages<o:p></o:p></p>
<p class="MsoNormal"> #570: General - removal of checkid endpoint<o:p></o:p></p>
<p class="MsoNormal"> Signature checking still needed for implicit flow - can be done by client<o:p></o:p></p>
<p class="MsoNormal"> Nat points out that without Check ID endpoint, we lose the ability to use a symmetric signature<o:p></o:p></p>
<p class="MsoNormal"> John believes that this observation is a red herring<o:p></o:p></p>
<p class="MsoNormal"> John points out that there are RSA libraries available for JavaScript<o:p></o:p></p>
<p class="MsoNormal"> #571: General - removal of symmetric signatures for id tokens<o:p></o:p></p>
<p class="MsoNormal"> Or possibly make asymmetric the default?<o:p></o:p></p>
<p class="MsoNormal"> Removing it entirely would let us remove large parts of the spec<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> We will talk about all of these more in Germany and at the pre-IIW meeting at Yahoo!<o:p></o:p></p>
<p class="MsoNormal"> People should add their thoughts to the issues. We will try to close them at the pre-IIW WG meeting.<o:p></o:p></p>
</div>
</body>
</html>