<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Spec call notes 4-Feb-13<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Edmund Jay<o:p></o:p></p>
<p class="MsoNormal">Brian Campbell<o:p></o:p></p>
<p class="MsoNormal">Pamela Dingle<o:p></o:p></p>
<p class="MsoNormal">John Bradley<o:p></o:p></p>
<p class="MsoNormal">Tim Bray<o:p></o:p></p>
<p class="MsoNormal">Nat Sakimura<o:p></o:p></p>
<p class="MsoNormal">Naveen Agarwal<o:p></o:p></p>
<p class="MsoNormal">Breno de Medeiros<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Agenda:<o:p></o:p></p>
<p class="MsoNormal"> New Open Issues<o:p></o:p></p>
<p class="MsoNormal"> MTI for OpenID Request Object<o:p></o:p></p>
<p class="MsoNormal"> JOSE poll about whether headers must be understood<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">New Open Issues:<o:p></o:p></p>
<p class="MsoNormal"> We went through most of the new open issues before starting the MTI discussion with Breno and Naveen<o:p></o:p></p>
<p class="MsoNormal"> See the issues themselves for resolutions<o:p></o:p></p>
<p class="MsoNormal"> We closed many of the registration issues<o:p></o:p></p>
<p class="MsoNormal"> We left open whether to switch registration to a JSON request format, pending further discussion<o:p></o:p></p>
<p class="MsoNormal"> We'll probably discuss this on Thursday's call<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">MTI for OpenID Request Object:<o:p></o:p></p>
<p class="MsoNormal"> Enables, signed requests, requests for individual claims<o:p></o:p></p>
<p class="MsoNormal"> Breno suggested that another possible processing rule is to ignore everything outside the request object<o:p></o:p></p>
<p class="MsoNormal"> Breno suggested that claims requests might be separated from the request object<o:p></o:p></p>
<p class="MsoNormal"> Breno suggested that max_age could be a parameter, as should other commonly used request parameters<o:p></o:p></p>
<p class="MsoNormal"> Breno wants the request object to essentially be a JSON serialization of the request parameters<o:p></o:p></p>
<p class="MsoNormal"> Breno asserted that the claims request need not be signed<o:p></o:p></p>
<p class="MsoNormal"> Breno said that signing the request object provides security to the OP<o:p></o:p></p>
<p class="MsoNormal"> whereas he said that the claims reflect security/privacy policies of the RP<o:p></o:p></p>
<p class="MsoNormal"> Breno wants to hear form others such as Salesforce about whether signed requests should be part of the MTI<o:p></o:p></p>
<p class="MsoNormal"> We agreed to make max_age and preferred_locales top-level parameters<o:p></o:p></p>
<p class="MsoNormal"> We agreed that it would be valuable to make the ability to request things independent of whether the request is signed<o:p></o:p></p>
<p class="MsoNormal"> Mike asked whether he should create a distinct "claims" parameter separate from the "request" parameter<o:p></o:p></p>
<p class="MsoNormal"> A discussion ensued about what encodings should be used for the claims<o:p></o:p></p>
<p class="MsoNormal"> Breno suggested %-encoding the JSON rather than base64url encoding it<o:p></o:p></p>
<p class="MsoNormal"> Base64url encoding is only needed for signature validation<o:p></o:p></p>
<p class="MsoNormal"> He said that %-encoding is fine for the claims request<o:p></o:p></p>
<p class="MsoNormal"> Whereas it would just be JSON in the request object<o:p></o:p></p>
<p class="MsoNormal"> We would use UTF-8 %-encoding for the JSON<o:p></o:p></p>
<p class="MsoNormal"> This would likely help us make progress on MTI consensus<o:p></o:p></p>
<p class="MsoNormal"> It makes things more orthogonal, so each request parameter can be considered (mostly) independently<o:p></o:p></p>
<p class="MsoNormal"> We agreed that doing these changes would help us better understand the choices and move towards consensus<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">JOSE poll about whether headers must be understood<o:p></o:p></p>
<p class="MsoNormal"> Karen O'Donoghue sent the message "[jose] POLL(s): header criticality" this morning<o:p></o:p></p>
<p class="MsoNormal"> This will help close an issue that needs to be closed before working group last call<o:p></o:p></p>
<p class="MsoNormal"> Outcome B (and possibly C) to the third question would break every JWT and JOSE structure<o:p></o:p></p>
<p class="MsoNormal"> John and Mike will compose a note to the connect working group about this<o:p></o:p></p>
</div>
</body>
</html>