<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.hoenzb
{mso-style-name:hoenzb;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1201091925;
mso-list-template-ids:1654574832;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">(I’m going to reply to this only on the working group list, since most of the detail isn’t relevant to audiences other than working group members.)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> -- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> openid-board-bounces@lists.openid.net [mailto:openid-board-bounces@lists.openid.net]
<b>On Behalf Of </b>Nat Sakimura<br>
<b>Sent:</b> Sunday, October 13, 2013 11:13 AM<br>
<b>To:</b> openid-connect-interop@googlegroups.com<br>
<b>Cc:</b> openid-specs-ab@lists.openid.net; board@openid.net<br>
<b>Subject:</b> Re: [OpenID board] OpenID Connect Specs Nearing Completion<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Thank you very much, Mike. <o:p></o:p></p>
<div>
<p class="MsoNormal">It is a great work. Having said that, <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I have some comments on it. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<ol start="1" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
The terminology section is not assuming the agreed upon structure as in <a href="http://nat.sakimura.org/wp-content/uploads/2013/08/openid-connect-all-1_0.html">http://nat.sakimura.org/wp-content/uploads/2013/08/openid-connect-all-1_0.html</a> [1]. Note that
the order of the terms in [1] is not alphabetical but in the semantic order: i.e., the term that is used in the text appears before it. Also, it is separating out the definition text and the notes. That is adding to the readability of the text greatly. It
is also showing where it came from. <o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
The agreed upon structure is much less deep. It was one of the main consideration in restructuring. It is adding to the ease for grasping the structure. For example, in your version, it is "<a href="http://openid.net/specs/openid-connect-core-1_0-13.html#ImplicitRequestParameters"><span style="font-family:"Verdana","sans-serif";color:#663333">2.2.2.1.1.</span></a><span style="font-family:"Verdana","sans-serif";color:black">
Authorization Request Parameters" while in [1], it is "</span><span style="font-family:"Helvetica","sans-serif";color:#333333">3.1.1. Request Parameters". </span><o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
<span style="font-family:"Verdana","sans-serif";color:black">As to the order of the request parameters are concerned, I have placed 'scope' at the top since it acts as the switch between OpenID call and pure OAuth call. This would definitely help the user when
writing the code. </span><o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
<span style="font-family:"Verdana","sans-serif";color:black">For the definition of 'scope', I change the text as follows to make it clear that it is stating about the value. <br>
<br>
REQUIRED. The value MUST contain the </span><tt><span style="font-size:10.0pt;color:#003366">openid</span></tt><span style="font-family:"Verdana","sans-serif";color:black">. This scope value requests ID Token, which is a JWT that includes the Claims about the
End-User Authentication event.<br>
<br>
Your text is: <br>
<br>
REQUIRED. Space delimited, case sensitive list of ASCII OAuth 2.0 scope values. OpenID Connect requests MUST contain the </span><tt><span style="font-size:10.0pt;color:#003366">openid</span></tt><span style="font-family:"Verdana","sans-serif";color:black"> scope
value. Other scope values MAY be present. See Sections </span><a href="http://openid.net/specs/openid-connect-core-1_0-13.html#ScopeClaims"><b><span style="font-family:"Verdana","sans-serif";color:#663333;text-decoration:none">4.1</span></b></a><span style="font-family:"Verdana","sans-serif";color:black"> and </span><a href="http://openid.net/specs/openid-connect-core-1_0-13.html#OfflineAccess"><b><span style="font-family:"Verdana","sans-serif";color:#663333;text-decoration:none">10</span></b></a><span style="font-family:"Verdana","sans-serif";color:black"> for
additional scope values defined by this specification.<br>
</span><br>
Here, at least "Space delimited, case sensitive ... " is superfluous since it is already defined in RFC6749. The former also describes the effect of this scope, while the later does not. <o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
This version still has claims authorization components in 2.1.2.4. <o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
The "4. Claims" is not describing only about what is claims but also how the claims are to be requested and received. That's why [1] is using the chapter name "Claims Framework." I think this title is more appropriate, and has been agreed upon in the WG. <o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
<span style="color:windowtext">Accordingly, the description about this chapter should also be strengthend. Your version states:
<br>
<br>
</span><span style="font-family:"Verdana","sans-serif""> This section specifies how the Client can obtain Claims about the End-User and defines a
<br>
standard set of basic profile Claims.<br>
<br>
while [1] states:<o:p></o:p></span></li></ol>
<p style="mso-margin-top-alt:5.0pt;margin-right:24.0pt;margin-bottom:5.0pt;margin-left:60.0pt">
<span style="font-family:"Verdana","sans-serif";color:black">This section defines a framework in which the client may obtain the claims about the End User. It can be done through the pre-defined scopes values or through more granular claims parameter. The claims
can come from a single source or distributed sources as well.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:.5in">
<a name="anchor15"></a><span style="font-family:"Verdana","sans-serif";color:black">The later, IMHO, is clearer. </span><o:p></o:p></p>
<ol start="8" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
Again, "4. Claims" is not assuming the order of the agreed upon structure. 4.5 should be moved before 4.2. <o:p></o:p></li></ol>
<div>
<p class="MsoNormal">Regards, <o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Nat<o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">2013/10/13 Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I posted this note at
<a href="http://self-issued.info/?p=1137" target="_blank">http://self-issued.info/?p=1137</a> and on Twitter as @selfissued to raise awareness that the time to do a final review of the OpenID Connect specs is now.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> -- Mike<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b>OpenID Connect Specs Nearing Completion</b><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Based on feedback from developers, the
<a href="http://openid.net/connect/" target="_blank">OpenID Connect</a> working group decided to replace the
<a href="http://openid.net/specs/openid-connect-messages-1_0-20.html" target="_blank">
OpenID Connect Messages</a> and <a href="http://openid.net/specs/openid-connect-standard-1_0-21.html" target="_blank">
OpenID Connect Standard</a> specifications with a new <a href="http://openid.net/specs/openid-connect-core-1_0-13.html" target="_blank">
OpenID Connect Core</a> specification that combines the contents from both of them before finishing OpenID Connect. The content has also been restructured to separate Authentication from other features such as Claims and to have separate Authentication sections
for the different OAuth 2.0 flows. No changes to the protocol were made. The publication of this new spec is another major step towards finishing OpenID Connect.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b>Please review this and the other OpenID Connect specifications in the coming week.</b> While a few local changes will still be made this week to address
<a href="https://bitbucket.org/openid/connect/issues?status=new&status=open&sort=-id" target="_blank">
issues that have been identified</a> since <a href="http://self-issued.info/?p=1095" target="_blank">
the approval of the Implementer’s Drafts</a>, I fully expect that the working group will decide at the
<a href="http://openid-wg-oct-2013.eventbrite.com/" target="_blank">in-person working group meeting</a> just over a week from now that it’s time to publish proposed final specifications.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Thanks to Nat Sakimura for producing a<a href="http://nat.sakimura.org/2013/08/27/refactoring-openid-connect-drafts/" target="_blank"> proof-of-concept document restructuring</a>
that the structure of the current <a href="http://openid.net/specs/openid-connect-core-1_0-13.html" target="_blank">
OpenID Connect Core</a> spec is based upon. And thanks to Torsten Lodderstedt for convincing us that the specs will be clearer by better separating the descriptions of logically distinct features while combining previously separate descriptions of highly interrelated
functionality.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#888888"> <o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span class="hoenzb"><span style="color:#888888">-- </span></span><span style="color:#888888"><br>
<span class="hoenzb">You received this message because you are subscribed to the Google Groups "OpenID Connect Interop" group.</span><br>
<span class="hoenzb">To unsubscribe from this group and stop receiving emails from it, send an email to
<a href="mailto:openid-connect-interop%2Bunsubscribe@googlegroups.com" target="_blank">
openid-connect-interop+unsubscribe@googlegroups.com</a>.</span><br>
<span class="hoenzb">For more options, visit <a href="https://groups.google.com/groups/opt_out" target="_blank">
https://groups.google.com/groups/opt_out</a>.</span></span><o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <br>
Nat Sakimura (=nat)<o:p></o:p></p>
<div>
<p class="MsoNormal">Chairman, OpenID Foundation<br>
<a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>
@_nat_en<o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>