<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}
@font-face
{font-family:"MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"\@MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.hoenzb
{mso-style-name:hoenzb;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">On Karen’s advice, unless things get off track again, I think we should keep sitting on the note. She’s already very aware of it (being on this list) and proactively
sent her note titled “thoughts on deployed code and breaking changes” saying “</span>at this point, without a strong rationale and a ground swell of working group support, we should work to complete what we have<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">”
and “</span>Any major refactoring or new functionality should be deferred as future work<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">”.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I think she believes that that note from her will be more effective in getting the working group to focus on finishing than a note from the OpenID Foundation,
and to date, I have to give her credit that issues are now being closed in a more timely manner. We should, of course, all remain actively involved until the specs are actually RFCs.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">(The same is true not only for the JOSE specs, but also JWT, OAuth Assertions, OAuth JWT Bearer Profile, OAuth Dynamic Registration, WebFinger, and Acct – all
of which we have dependencies on.)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> Cheers,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> -- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> openid-specs-ab-bounces@lists.openid.net [mailto:openid-specs-ab-bounces@lists.openid.net]
<b>On Behalf Of </b>Tim Bray<br>
<b>Sent:</b> Monday, June 17, 2013 10:15 AM<br>
<b>To:</b> Justin Richer<br>
<b>Cc:</b> openid-specs-ab@lists.openid.net<br>
<b>Subject:</b> Re: [Openid-specs-ab] Fwd: Re: Draft note to IETF<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">BTW, I’m sitting on this for a couple of days to see how things swing following the JOSE telecon today. -T<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Mon, Jun 17, 2013 at 9:06 AM, Justin Richer <<a href="mailto:jricher@mitre.org" target="_blank">jricher@mitre.org</a>> wrote:<o:p></o:p></p>
<div>
<p class="MsoNormal">Forwarding Nat's response out to the wider list, as I believe that was his intent.<o:p></o:p></p>
<div>
<p class="MsoNormal"><br>
<br>
-------- Original Message -------- <o:p></o:p></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td nowrap="" valign="top" style="padding:0in 0in 0in 0in">
<p class="MsoNormal" align="right" style="text-align:right"><b>Subject: <o:p></o:p></b></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Re: [Openid-specs-ab] Draft note to IETF<o:p></o:p></p>
</td>
</tr>
<tr>
<td nowrap="" valign="top" style="padding:0in 0in 0in 0in">
<p class="MsoNormal" align="right" style="text-align:right"><b>Date: <o:p></o:p></b></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Tue, 18 Jun 2013 00:04:36 +0900<o:p></o:p></p>
</td>
</tr>
<tr>
<td nowrap="" valign="top" style="padding:0in 0in 0in 0in">
<p class="MsoNormal" align="right" style="text-align:right"><b>From: <o:p></o:p></b></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Nat Sakimura <a href="mailto:sakimura@gmail.com" target="_blank">
<sakimura@gmail.com></a><o:p></o:p></p>
</td>
</tr>
<tr>
<td nowrap="" valign="top" style="padding:0in 0in 0in 0in">
<p class="MsoNormal" align="right" style="text-align:right"><b>To: <o:p></o:p></b></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Justin Richer <a href="mailto:jricher@mitre.org" target="_blank">
<jricher@mitre.org></a><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">... and so is NRI; NRI has implemented OpenID Connect for several major identity providers in Japan. <o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">2013/6/17 Justin Richer <<a href="mailto:jricher@mitre.org" target="_blank">jricher@mitre.org</a>><o:p></o:p></p>
<div>
<p class="MsoNormal">MITRE's implementation has been live on our public server for nearly a year now, and a number of other groups have used the MITREid Connect open source project in their own deployments.
<br>
<span style="color:#888888"><br>
-- Justin</span> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 06/15/2013 02:53 AM, Torsten Lodderstedt wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">Deutsche Telekom's implementation is available in production since last Wednesday.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Regards,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Torsten.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
Am 13.06.2013 um 18:32 schrieb Brian Campbell <<a href="mailto:bcampbell@pingidentity.com" target="_blank">bcampbell@pingidentity.com</a>>:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">Also, FWIW, Ping Identity's initial OpenID Connect product support went from just "announced" to actually "generally available" yesterday.<br>
<br>
<a href="https://www.pingidentity.com/about-us/press-release.cfm?customel_datapageid_1516=70050" target="_blank">https://www.pingidentity.com/about-us/press-release.cfm?customel_datapageid_1516=70050</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Thu, Jun 13, 2013 at 10:26 AM, Nat Sakimura <<a href="mailto:sakimura@gmail.com" target="_blank">sakimura@gmail.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">Not Amazon yet. They are waiting for us. Paypal, yes. <br>
<br>
=nat via iPhone<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
Jun 14, 2013 1:19<span style="font-family:"MS Gothic"">、</span>Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>>
<span style="font-family:"MS Gothic"">のメッセージ</span>:<o:p></o:p></p>
</div>
<div>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Yes. Updated below…</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">To:
<a href="mailto:jose-chairs@tools.ietf.org" target="_blank">jose-chairs@tools.ietf.org</a>;
<a href="mailto:oauth-chairs@tools.ietf.org" target="_blank">oauth-chairs@tools.ietf.org</a></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Cc:
<a href="mailto:iesg@ietf.org" target="_blank">iesg@ietf.org</a>; <a href="mailto:draft-ietf-oauth-json-web-token@tools.ietf.org" target="_blank">
draft-ietf-oauth-json-web-token@tools.ietf.org</a>; <a href="mailto:draft-ietf-jose-json-web-encryption@tools.ietf.org" target="_blank">
draft-ietf-jose-json-web-encryption@tools.ietf.org</a></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">Subject: Liaison statement from OpenID Foundation to IETF on JWT and JOSE</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">I’m writing on behalf of the OpenID Connect Working Group, in the OpenID Foundation. We have been
working for three years on specifying this identity-federation protocol. Our specifications have reached stability (what we call “Implementer’s Drafts”) and we anticipate a final vote and approval in the coming months. We’re confident approval will be forthcoming
since OpenID Connect is already in production at Google and Amazon, a product has been announced by Ping Identity, a JWT product has shipped from Microsoft, and we expect numerous OpenID Connect and JWT deployments in the coming months.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">Our work is dependent on the JSON Web Token (JWT) and the JSON Object Signing and Encryption (JOSE)
specifications, products of the IETF OAuth and JOSE working groups. JWTs have been stable for some time, and code to parse and validate them is widely available in libraries for popular programming languages. However, progress towards an RFC in JOSE seems
slow, which is holding up the JWT RFC in OAuth, and we do not have a clear feeling when this work is likely to complete. As chartered, the JOSE documents were to have gone to working group last call a year ago and this still has not happened.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">Unfortunately, it’s not practical for our membership to wait indefinitely, and thus our most likely
course of action will be to take dependencies on draft-ietf-oauth-json-web-token-08 and the -11 versions of the JOSE specifications or subsequent versions that are compatible with them when the time comes to publish our final specifications. It would obviously
be preferable for the JWT and JOSE RFCs to be completed in a timely fashion instead.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">We bring this to your attention simply because if some other organization were planning to lock in
a dependency on one of our earlier drafts, we’d like to hear about it.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">-- Tim Bray for the OpenID Connect Working Group and the OpenID Foundation</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Brian Campbell [<a href="mailto:bcampbell@pingidentity.com" target="_blank">mailto:bcampbell@pingidentity.com</a>]
<br>
<b>Sent:</b> Thursday, June 13, 2013 9:13 AM<br>
<b>To:</b> Mike Jones<br>
<b>Cc:</b> Tim Bray; <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>><br>
<b>Subject:</b> Re: [Openid-specs-ab] Draft note to IETF</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">"<span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">were have gone" -> "were to have gone" ... ?</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On Thu, Jun 13, 2013 at 9:30 AM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Tim – a slightly revised note follows. The working group agreed for you to circulate it privately
to insiders for feedback. We also need to run this by the board before formally sending it, since it’s speaking on behalf of the foundation. If you can let us know what kinds of informal feedback you receive, that would be great.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> -- Mike</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">To:
<a href="mailto:jose-chairs@tools.ietf.org" target="_blank">jose-chairs@tools.ietf.org</a>;
<a href="mailto:oauth-chairs@tools.ietf.org" target="_blank">oauth-chairs@tools.ietf.org</a></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Cc:
<a href="mailto:iesg@ietf.org" target="_blank">iesg@ietf.org</a>; <a href="mailto:draft-ietf-oauth-json-web-token@tools.ietf.org" target="_blank">
draft-ietf-oauth-json-web-token@tools.ietf.org</a>; <a href="mailto:draft-ietf-jose-json-web-encryption@tools.ietf.org" target="_blank">
draft-ietf-jose-json-web-encryption@tools.ietf.org</a></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">Subject: Liaison statement from OpenID Foundation to IETF on JWT and JOSE</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">I’m writing on behalf of the OpenID Connect Working Group, in the OpenID Foundation. We have been
working for three years on specifying this identity-federation protocol. Our specifications have reached stability (what we call “Implementer’s Drafts”) and we anticipate a final vote and approval in the coming months. We’re confident approval will be forthcoming
since OpenID Connect is already in production at Google, a product has been announced by Ping Identity, a JWT product has shipped from Microsoft, and we expect numerous OpenID Connect and JWT deployments in the coming months.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">Our work is dependent on the JSON Web Token (JWT) and the JSON Object Signing and Encryption (JOSE)
specifications, products of the IETF OAuth and JOSE working groups. JWTs have been stable for some time, and code to parse and validate them is widely available in libraries for popular programming languages. However, progress towards an RFC in JOSE seems
slow, which is holding up the JWT RFC in OAuth, and we do not have a clear feeling when this work is likely to complete. As chartered, the JOSE documents were have gone to working group last call a year ago and this still has not happened.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">Unfortunately, it’s not practical for our membership to wait indefinitely, and thus our most likely
course of action will be to take dependencies on draft-ietf-oauth-json-web-token-08 and the -11 versions of the JOSE specifications or subsequent versions that are compatible with them when the time comes to publish our final specifications. It would obviously
be preferable for the JWT and JOSE RFCs to be completed in a timely fashion instead.</span><o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">We bring this to your attention simply because if some other organization were planning to lock in
a dependency on one of our earlier drafts, we’d like to hear about it.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222"> </span><o:p></o:p></p>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">-- Tim Bray for the OpenID Connect Working Group and the OpenID Foundation</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a> [mailto:<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a>]
<b>On Behalf Of </b>Brian Campbell<br>
<b>Sent:</b> Thursday, June 13, 2013 6:30 AM<br>
<b>To:</b> Tim Bray<br>
<b>Cc:</b> <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>><br>
<b>Subject:</b> Re: [Openid-specs-ab] Draft note to IETF</span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt">While somewhat esoteric, it's probably important in this context to be accurate about the various documents and the WGs that are responsible for them.<o:p></o:p></p>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt">Though JWT does depend heavily on JOSE work, it itself isn't a JOSE WG item. Rather it is a product of the OAUTH WG<span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">
and, as such, asking the JOSE WG to do anything with JWT doesn't make a lot of sense.</span><o:p></o:p></p>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">The broader issue remains though and I support the Connect group providing some encouragement to the
IETF towards progressing the dependencies. But we probably need to acknowledge that even within the IETF the document and WG relationships are somewhat complicated by dependencies.</span><o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"> <o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On Wed, Jun 12, 2013 at 3:00 PM, Tim Bray <<a href="mailto:tbray@textuality.com" target="_blank">tbray@textuality.com</a>> wrote:<o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">This should go to the JOSE WG chair, the ADs for that area, and the IESG</span><o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">I’m writing on behalf of the OpenID Connect Working Group, in the OpenID Foundation. We have been
working for <insert-time-period> on specifying this identity-federation protocol. Our specifications have reached stability (what we call “implementor’s draft”) and we anticipate a final vote and approval in the coming months. We’re confident approval will
be forthcoming since OIDC is already in production at Google, <insert-other-deployments> and we expect deployments at <insert-other-predictions>.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">Our work is dependent on JWT, a product of the IETF “jose” working group. JWTs have been stable for
some time, and code to parse and validate them is widely available in libraries for popular programming languages. However, progress towards an RFC in jose seems slow, and we do not have a feeling when this work is likely to stabilize.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">Unfortunately, it’s not practical for our membership to wait, and thus our most likely course of action
will be to take a dependency on draft-ietf-oauth-json-web-token-08 when the time comes to publish our specification. </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">We bring this to your attention simply because if some other organization were planning to lock in
a dependency on one of our earlier drafts, we’d like to hear about it. </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">[I’m going to unofficially run this by some of my IETF-insider contacts, but thought I should sanity-check
the content here first]</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p>
</div>
</blockquote>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p>
</div>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Openid-specs-ab mailing list<o:p></o:p></pre>
<pre><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><o:p></o:p></pre>
<pre><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"><span class="hoenzb"><span style="color:#888888">-- </span></span><span style="color:#888888"><br>
<span class="hoenzb">Nat Sakimura (=nat) <o:p></o:p></span></span></p>
<div>
<p class="MsoNormal"><span style="color:#888888">Chairman, OpenID Foundation<br>
<a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>
@_nat_en</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>