<div dir="ltr">Yeah. I was a bit surprised by the state of Standard. <div style>Message seems to be fairly good, as far as I remember I read it through last time. </div><div style><br></div><div style>Here is a word version of it with comments - I did it till the end of the Section 1. </div>
<div style>Apparently, the definition of Authentication was not working, so I rewrote it. </div><div style>I added a few others with comments. I removed your text about RFC 4949 at the begining of the Terminology section, since there is no single definition of validation and verification in the document. The definition I extracted is buried inside the validation vs. verification tutorial. So, instead, I added the actual definition to ther Terminology. </div>
<div style><br></div><div style>I also added Identity and Identifier as they are very often mistaken and conflated words. </div><div style><br></div><div style><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
2013/6/4 Mike Jones <span dir="ltr"><<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">It’s my sense that we’ve been getting good feedback on Basic, Implicit, Messages, Discovery, and Registration all along because of the developers implementing
them. Standard less so, because in practice, you can implement most everything by just reading Messages (or by supplementing Messages with Basic and Implicit). Session Management has had less feedback because there has been less implementation work to date.
(That said, Microsoft developers have recently read through it, which resulted in some of the good feedback we’ve received lately – for instance resulting in the practical refinements to RP-initiated logout.)<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">There’s always room for improvement. But my sense is that, after the round of changes that we’ve already agreed to, we’re ready for the Implementer’s Drafts.
More review is always good, but as they say at Microsoft, “shipping is a feature too”.
</span><span style="font-size:11.0pt;font-family:Wingdings;color:#1f497d">J</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> -- Mike<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Nat Sakimura [mailto:<a href="mailto:sakimura@gmail.com" target="_blank">sakimura@gmail.com</a>]
<br>
<b>Sent:</b> Monday, June 03, 2013 10:37 AM</span></p><div><div class="h5"><br>
<b>To:</b> Mike Jones<br>
<b>Cc:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>; John Bradley<br>
<b>Subject:</b> Re: Connect Standard annotated word version<u></u><u></u></div></div><p></p><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">I +1'ed to #848. <u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Re: authentication definition: In reviewing your comment back to my word comment, I found a descrepancy with the current definition. We are using a phrase like authenticate client and client authentication. Thus, the definition of authentication
MUST NOT include "End-user". This is a Messages issue, by the way. <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">I have done this detail of the read only to Standard. Has anyone else did a careful read on other specs? <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">If we distribute the work, we could finish it in one day. I have only a few hours a day that I can allocate to this, and is taking too long to do. (Now, decreasing sleeping hours is not an option here. I have been working more than 20 hours
a day last couple of business days.) I do not want to hold it off, but the goal of 2nd Implementer's draft is to publish something completely stable. I think we are in a pretty good shape for Standard now. (If we remove the examples for JWS and JWE, I doubt
that we need to touch the text even JWS/JWE changes.) <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">The question is: has the same level of vetting done on other specs? <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p>
<div>
<p class="MsoNormal">2013/6/4 Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>><u></u><u></u></p>
<p class="MsoNormal">OK - I'll give you this "SHOULD" if you give me the language proposed in #848 that John signed off on. :-)<br>
<br>
Then, subject to other working group input, I think we will have reached closure on all the proposed changes so we can get back to having proposed Implementer's Drafts today again.<br>
<span style="color:#888888"><br>
<span> -- Mike</span></span><u></u><u></u></p>
<div>
<p class="MsoNormal"><br>
-----Original Message-----<br>
From: Nat Sakimura [mailto:<a href="mailto:sakimura@gmail.com" target="_blank">sakimura@gmail.com</a>]<u></u><u></u></p>
</div>
<div>
<div>
<p class="MsoNormal">Sent: Monday, June 03, 2013 9:16 AM<br>
To: Mike Jones<br>
Cc: <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>; John Bradley<br>
Subject: Re: Connect Standard annotated word version<br>
<br>
Jun 4, 2013 0:34<span lang="JA">�$B!"�(B</span>Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>> wrote:<br>
<br>
> As for changing the prompt:consent MUST to a SHOULD, I don’t<br>
> understand the “obvious from other actions” comment,<br>
<br>
It is quite well known concept.<br>
For example, when you have ordered something to be delivered to your home, you do not need an explicit consent for it since it is obvious.<br>
<br>
Explicit consent really only one of the possible conditions for processing even in EU Data Protection directive.<br>
<br>
In Japan, we are even talking of banning unnecessary explicit consent right now in a government committee. A protocol should not step on these legal issues. It MAY say SHOULD but not MUST.<br>
<br>
As to Pavlov effect, we are not talking about one RP here. It is potentially thousands of them. An OP should have some room to deal with it in the sense of consumer protection. Again, a protocol should not be prescriptive here. OP should be able not to show
the consent dialogue and return an assertion without attributes other than that of authentication event.<u></u><u></u></p>
</div>
</div>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal">-- <br>
Nat Sakimura (=nat)<u></u><u></u></p>
<div>
<p class="MsoNormal">Chairman, OpenID Foundation<br>
<a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>
@_nat_en<u></u><u></u></p>
</div>
</div>
</div></div></div>
</div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Nat Sakimura (=nat)<div>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div>
</div>