<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">OpenID Meeting at IETF 86 - 10-Mar-13<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Attendees:<o:p></o:p></p>
<p class="MsoNormal"> Mike Jones<o:p></o:p></p>
<p class="MsoNormal"> Tatsuya Hayashi<o:p></o:p></p>
<p class="MsoNormal"> Boku Kihara<o:p></o:p></p>
<p class="MsoNormal"> Uwe Rauschenbach<o:p></o:p></p>
<p class="MsoNormal"> Christine Runnegar<o:p></o:p></p>
<p class="MsoNormal"> Robin Wilton<o:p></o:p></p>
<p class="MsoNormal"> Karen O'Donoghue<o:p></o:p></p>
<p class="MsoNormal"> Salvatore Loreto<o:p></o:p></p>
<p class="MsoNormal"> Derek Atkins<o:p></o:p></p>
<p class="MsoNormal"> Wolfgang Beck<o:p></o:p></p>
<p class="MsoNormal"> Stina Ehrensvard<o:p></o:p></p>
<p class="MsoNormal"> Lucy Lynch<o:p></o:p></p>
<p class="MsoNormal"> Leif Johansson<o:p></o:p></p>
<p class="MsoNormal"> Roland Hedberg<o:p></o:p></p>
<p class="MsoNormal"> John Bradley<o:p></o:p></p>
<p class="MsoNormal"> Nat Sakimura<o:p></o:p></p>
<p class="MsoNormal"> Stephen Farrell<o:p></o:p></p>
<p class="MsoNormal"> Jim Schaad<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">See the attached deck "OpenID Meeting.pptx" for the meeting agenda<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Implementer's Drafts<o:p></o:p></p>
<p class="MsoNormal"> We discussed our progress towards Implementer's Drafts<o:p></o:p></p>
<p class="MsoNormal"> Release candidates were published this week<o:p></o:p></p>
<p class="MsoNormal"> It probably makes sense to wait until the end of IETF to publish Implementer's Drafts<o:p></o:p></p>
<p class="MsoNormal"> because some changes may occur in JOSE, etc.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">OAuth Security Discussion<o:p></o:p></p>
<p class="MsoNormal"> We discussed recent OAuth security breaches and how they relate to OpenID Connect<o:p></o:p></p>
<p class="MsoNormal"> John described how the breaches are the result of bad implementations not following normal security practices<o:p></o:p></p>
<p class="MsoNormal"> We described ways in which OpenID Connect places additional requirements for security purposes beyond OAuth<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Interoperability Discussion<o:p></o:p></p>
<p class="MsoNormal"> We discussed how the OpenID Connect interop testing is testing both Connect and an OAuth profile<o:p></o:p></p>
<p class="MsoNormal"> There are presently 16 implementations participating<o:p></o:p></p>
<p class="MsoNormal"> See http://osis.idcommons.net/<o:p></o:p></p>
<p class="MsoNormal"> We plan to start a new round of interop testing once the Implementer's Drafts are published<o:p></o:p></p>
<p class="MsoNormal"> Roland Hedberg described his test tools that are funded by GÉANT and how they're used<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Compliance Testing<o:p></o:p></p>
<p class="MsoNormal"> We discussed the possibility of doing OpenID Connect certification once the Connect specs are final<o:p></o:p></p>
<p class="MsoNormal"> Informal discussions have occurred between several parties about this possibility<o:p></o:p></p>
<p class="MsoNormal"> The OpenID Board discussed this possibility at its board meeting at RSA<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Using OpenID Connect for unmodified non-Web clients<o:p></o:p></p>
<p class="MsoNormal"> Nat Sakimura described work being done by NRI on using OpenID Connect for unmodified clients such as IMAP<o:p></o:p></p>
<p class="MsoNormal"> The access token is used as the password value<o:p></o:p></p>
<p class="MsoNormal"> We talked about the relationship of this work to GSSAPI<o:p></o:p></p>
<p class="MsoNormal"> See the attached deck "Using OpenID Connect on Non-Web environment.pptx"<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">RS-AS Communication<o:p></o:p></p>
<p class="MsoNormal"> Nat gave a presentation on Resource Server / Authorization Server communication<o:p></o:p></p>
<p class="MsoNormal"> See the attached deck RS-AS-Communication.pptx<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">UserInfo Claims<o:p></o:p></p>
<p class="MsoNormal"> We discussed people's requests for several additions to the standard set of claims<o:p></o:p></p>
<p class="MsoNormal"> Separate display and machine-usable phone number representations, per issue #800<o:p></o:p></p>
<p class="MsoNormal"> Mobile phone number<o:p></o:p></p>
<p class="MsoNormal"> Verified phone number<o:p></o:p></p>
<p class="MsoNormal"> Country Code<o:p></o:p></p>
<p class="MsoNormal"> We also discussed the semantics of email_verified, per issue #797<o:p></o:p></p>
<p class="MsoNormal"> Nat discussed legal requirements for a verified phone number in some jurisdictions<o:p></o:p></p>
<p class="MsoNormal"> People were against inventing full-blown Connect-specific schemas for phone numbers<o:p></o:p></p>
<p class="MsoNormal"> We tentatively decided to add phone_number_verified, per issue #806<o:p></o:p></p>
<p class="MsoNormal"> Nat will investigate whether this meets the legal needs in Japan<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Meeting in Berlin<o:p></o:p></p>
<p class="MsoNormal"> We agreed that it would be useful to have another meeting like this one in Berlin<o:p></o:p></p>
<p class="MsoNormal"> Lucy will put in a meeting request for us<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Links:<o:p></o:p></p>
<p class="MsoNormal"> Released OpenID Connect specs:<o:p></o:p></p>
<p class="MsoNormal"> http://openid.net/connect<o:p></o:p></p>
<p class="MsoNormal"> Working Drafts of OpenID Connect specs:<o:p></o:p></p>
<p class="MsoNormal"> http://openid.bitbucket.org/<o:p></o:p></p>
<p class="MsoNormal"> OpenID Connect open issues:<o:p></o:p></p>
<p class="MsoNormal"> https://bitbucket.org/openid/connect/issues?status=new&status=open&sort=-id<o:p></o:p></p>
<p class="MsoNormal"> OpenID Connect Interop (on the OSIS site)<o:p></o:p></p>
<p class="MsoNormal"> http://osis.idcommons.net/<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>