<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
yes<br>
<br>
<div class="moz-cite-prefix">Am 15.09.2013 20:06, schrieb Nat
Sakimura:<br>
</div>
<blockquote
cite="mid:E8269BCE-E8E5-4E09-AE91-B33CD311C6EE@gmail.com"
type="cite">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div>Hi Torsten, </div>
<div><br>
</div>
<div>By section 7 and 8 for monolithic version, do you mean
request by JSON and self issued? <br>
<br>
=nat via iPhone</div>
<div><br>
Sep 16, 2013 2:52、Torsten Lodderstedt <<a
moz-do-not-send="true" href="mailto:torsten@lodderstedt.net">torsten@lodderstedt.net</a>>
のメッセージ:<br>
<br>
</div>
<blockquote type="cite">
<div>
<meta content="text/html; charset=UTF-8"
http-equiv="Content-Type">
Hi all,<br>
<br>
I've got some feedback on the refactored specs.<br>
<br>
modular version: <br>
In my opinion, part 6 shouldn't stay as a separate document
because the topics covered there are required for particular
modules. For example, "OpenID Connect – Part 2: Authentication
Implicit" needs text on signature validation. Right now, it
only describes validation of the at_hash. Understanding
signature validation will also require text on signatures in
general, which can be currently found in part 6/section 4. <br>
I therefore suggest to mix contents of part 6 into the
respective functional documents. If part 1 is getting THE base
spec, sections 3, 6, and 7 and parts of 8 should go into this
document. Section 11 could be moved to another document,
probably covering profiles as well. <br>
<br>
The monolithic version is really big (62 pages in A4)! If we
decide to go for this version, I would suggest to move
sections 7 and 8 into another document.<br>
<br>
regards,<br>
Torsten. <br>
<br>
<div class="moz-cite-prefix">Am 12.09.2013 20:16, schrieb
Edmund Jay:<br>
</div>
<blockquote
cite="mid:1379009819.56430.YahooMailNeo@web184402.mail.bf1.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff;
font-family:tahoma, new york, times, serif;font-size:10pt">
<div>Spec Call notes 12-Sep-2013<br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">Attendees</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
Nat Sakimura</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
Brian Campbell</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
George Fletcher</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
Justin Richer</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
Roland Hedberg</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
John Bradley</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
Edmund Jay</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">Agenda</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
Spec Refactoring</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
Planning for Final Draft</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
New Issues</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
Unsolicited authentication flow using ID Tokens</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">Spec
Refactoring</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
Some members prefer the monolithic version with all
components in one place. Reference lookups are easier.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
Monolithic version may be too long with too many
features, but it may be solved by having a separate </div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
authentication document and keeping the monolithic
document as the full version.<span
style="background-color: transparent; "> </span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
It has a perception problem of being overly complex.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "> A
version with chapters/partitions may alleviated the
perception.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
The spec needs a roadmap/guide for specific features.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
Different profiles for OpenID Connect can be produced
once a definitive normative spec is finalized. Current
specs</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
have a synchronization problem.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
The sentiment of the group seems to be in favor of the
monolithic spec.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
Nat asked whether the current ordering of the code flow
and implicit in the monolithic version should be
switched.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
The group decided to keep the current order of code flow
before implicit flow.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "> </div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><span
style="background-color: transparent; "> People
should review the refactored specs at <a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://nat.sakimura.org/2013/08/27/refactoring-openid-connect-drafts/">http://nat.sakimura.org/2013/08/27/refactoring-openid-connect-drafts/</a></span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><span
style="background-color: transparent; "> Nat will add
the refactored version to Bitbucket and add it to the
issue tracker for reported problems.</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><span
style="background-color: transparent; "><br>
</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><span
style="background-color: transparent; "><br>
</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><span
style="background-color: transparent; "><br>
</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><span
style="background-color: transparent; ">Planning for
the Final Draft</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><span
style="background-color: transparent; "> There is not
much time if the group is planning to finalize the
spec by the end of December.</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><span
style="background-color: transparent; "> Roland,
Justin, John have volunteered to do detailed review.</span><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><span
style="background-color: transparent; "> Even though
JWS/JWE hasn't been finalized, there should not be
normative impact on the specs.</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><span
style="background-color: transparent; "><br>
</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><span
style="background-color: transparent; "><br>
</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><span
style="background-color: transparent; ">New Issues</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><span
style="background-color: transparent; "> #870
- Standard 3.2.1. Refresh Token Response - return of
id_token prohibited, conflicts with Messages 2.2.3</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><span
style="background-color: transparent; "> It has
been decided that an ID Token can be returned from the
token endpoint for grant types other than </span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><span
style="background-color: transparent; ">
authorization_code </span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><span
style="background-color: transparent; "> This is
part of the synchronization problem between current
specs.</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><span
style="background-color: transparent; "> It's
decided that normative fixes to the current specs will
continue in parallel with the new refactored specs.</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><span
style="background-color: transparent; "><br>
</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><span
style="background-color: transparent; "><br>
</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><span
style="background-color: transparent; ">Unsolicited
Authentication Flow using ID Token</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
Zendesk/Salesforce and others are starting to use ID
Token for IdP initiated SSO for parties with
pre-established</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
relationships. Some security requirements may be
skipped because they may be mitigated by out of band
means.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
The current specs does not allow this. ID Tokens must
include a nonce if the ID Token is returned in the front</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
channel. Nonce requirement can be soften by changing it
to a SHOULD and including some extra security
considerations.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
Current specs are focused on a request and response
protocol. It does not specify responses in cases where
there are no requests.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
Justin/George feels that this is not OAuth anymore. It
should start with OAuth as the base with other protocols
built on top of it.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
OpenID Connect should not change to accommodate
foreign(SAML) concepts.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
We should have a separate document that details how to
perform authentication with ID Tokens but is not part of
OpenID Connect.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
John will post to the list with this decision.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; ">
Will also need to develop a response to the question of
why others are using this alternative IdP initiated
login instead of OpenID Connect itself.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><span
style="background-color: transparent; "><br>
</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><span
style="background-color: transparent; "><br>
</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px;
font-family: tahoma, 'new york', times, serif;
background-color: transparent; font-style: normal; "><span
style="background-color: transparent; "><br>
</span></div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</div>
</blockquote>
<blockquote type="cite">
<div><span>_______________________________________________</span><br>
<span>Openid-specs-ab mailing list</span><br>
<span><a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a></span><br>
<span><a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><br>
</div>
</blockquote>
</blockquote>
<br>
</body>
</html>