<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Spec call notes 20-Sep-12<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">John Bradley<o:p></o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Nat Sakimura<o:p></o:p></p>
<p class="MsoNormal">Edmund Jay<o:p></o:p></p>
<p class="MsoNormal">Brian Campbell<o:p></o:p></p>
<p class="MsoNormal">Pamela Dingle<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Agenda:<o:p></o:p></p>
<p class="MsoNormal"> OAuth SASL<o:p></o:p></p>
<p class="MsoNormal"> Editing<o:p></o:p></p>
<p class="MsoNormal"> Open Issues<o:p></o:p></p>
<p class="MsoNormal"> Interop<o:p></o:p></p>
<p class="MsoNormal"> IIW Events<o:p></o:p></p>
<p class="MsoNormal"> IETF Events<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">OAuth SASL:<o:p></o:p></p>
<p class="MsoNormal"> John reports that Google is moving their OAuth SASL support to OAuth 2.0, supporting IMAP, etc.<o:p></o:p></p>
<p class="MsoNormal"> Called XOAuth 2<o:p></o:p></p>
<p class="MsoNormal"> What Google is doing is different than the draft standard<o:p></o:p></p>
<p class="MsoNormal"> Happening on the IETF kitten mailing list<o:p></o:p></p>
<p class="MsoNormal"> There is not necessarily a one-to-one mapping between resource servers and mailboxes<o:p></o:p></p>
<p class="MsoNormal"> We want mail clients, etc. to be able to use OpenID Connect, so hopefully this can stay aligned<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Editing:<o:p></o:p></p>
<p class="MsoNormal"> Edmund made edits for #640 and #649<o:p></o:p></p>
<p class="MsoNormal"> John plans to try to close his open tickets before leaving for London on Sunday<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Issues:<o:p></o:p></p>
<p class="MsoNormal"> No new open issues<o:p></o:p></p>
<p class="MsoNormal"> #636 JWT - intermediate audience claim<o:p></o:p></p>
<p class="MsoNormal"> Mike added reference to his old on-behalf-of draft<o:p></o:p></p>
<p class="MsoNormal"> http://self-issued.info/docs/on-behalf-of.html<o:p></o:p></p>
<p class="MsoNormal"> #627 HTTP response code<o:p></o:p></p>
<p class="MsoNormal"> About whether to follow redirects for the provider configuration<o:p></o:p></p>
<p class="MsoNormal"> They would need to be over HTTPS<o:p></o:p></p>
<p class="MsoNormal"> Consensus seems to be to not follow them, because anytime you could add a redirect you could add a file<o:p></o:p></p>
<p class="MsoNormal"> Assigned to John<o:p></o:p></p>
<p class="MsoNormal"> #622 Discovery 2.1.2 - domain-literal and CFWS<o:p></o:p></p>
<p class="MsoNormal"> Nat may have resolved this as a side effect of other edits he made. He will verify.<o:p></o:p></p>
<p class="MsoNormal"> John will file a work item to review specs to ensure that using the OAuth client_credentials grant_type isn't precluded<o:p></o:p></p>
<p class="MsoNormal"> #614 Discovery - 3.2 Distinguishing between signature and integrity parameters for HMAC algorithms<o:p></o:p></p>
<p class="MsoNormal"> Mike will make corresponding changes to the specs after the JOSE edits to combine the enc, int, and kdf parameters<o:p></o:p></p>
<p class="MsoNormal"> #595 Discovery 2 - No means of discovery without web server for domain<o:p></o:p></p>
<p class="MsoNormal"> Mike earlier raised the issue of possible certificate difficulties with dedicated hosts such as swd. or webfinger.<o:p></o:p></p>
<p class="MsoNormal"> We will discuss this at the in-person WG meeting at Google<o:p></o:p></p>
<p class="MsoNormal"> Mike will also send a note about this to Google and Salesforce<o:p></o:p></p>
<p class="MsoNormal"> #604 All - Create a MTI section<o:p></o:p></p>
<p class="MsoNormal"> Client and Server are different<o:p></o:p></p>
<p class="MsoNormal"> Decisions:<o:p></o:p></p>
<p class="MsoNormal"> Servers must understand the request object<o:p></o:p></p>
<p class="MsoNormal"> Servers must understand signed request objects<o:p></o:p></p>
<p class="MsoNormal"> It's optional for servers to understand encrypted request objects<o:p></o:p></p>
<p class="MsoNormal"> It's optional for clients to understand aggregated and distributed claims<o:p></o:p></p>
<p class="MsoNormal"> Open Issues to Specify:<o:p></o:p></p>
<p class="MsoNormal"> Does server have to support UserInfo endpoint?<o:p></o:p></p>
<p class="MsoNormal"> Does server have to be able to sign UserInfo endpoint response?<o:p></o:p></p>
<p class="MsoNormal"> Does server have to understand acr?<o:p></o:p></p>
<p class="MsoNormal"> (many others)<o:p></o:p></p>
<p class="MsoNormal"> Mike suggested assigning this to someone to make a list for the in-person WG meeting<o:p></o:p></p>
<p class="MsoNormal"> Nat will make a list of issues and a proposal for the October 2012 in-person WG meeting<o:p></o:p></p>
<p class="MsoNormal"> (which he will not be able to attend)<o:p></o:p></p>
<p class="MsoNormal"> #360 Registration 2.1 - What is application_type (native, web) used for?<o:p></o:p></p>
<p class="MsoNormal"> George has proposed text<o:p></o:p></p>
<p class="MsoNormal"> Brian pointed out we need to specify the expected behaviors when these parameters are used<o:p></o:p></p>
<p class="MsoNormal"> Nat pointed out that we may need to differentiate web server and JavaScript client as well<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Interop:<o:p></o:p></p>
<p class="MsoNormal"> Roland and Andreas were not on the call, so we didn't get an update on the RP interop testing work<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">IIW Events:<o:p></o:p></p>
<p class="MsoNormal"> John will send http://connect-wg-oct-2012.eventbrite.com/ to the openid-connect-interop list<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">IETF Events:<o:p></o:p></p>
<p class="MsoNormal"> John will ping Lucy again about the room<o:p></o:p></p>
</div>
</body>
</html>