<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Arial">6 pm EST<br>
<br>
Attending<br>
<br>
Thomas Debenning, John Bradley, Paul Madsen, Mike Gile, Darren
Platt, Morteza Ansari, Ashish Jain <br>
<br>
Discussion<br>
<br>
Any outstanding issues from last call?<br>
<br>
Thomas done some preliminary work on all 3 platforms - windows,
IOS, & Android<br>
<br>
Mike Varley sent an email with some privacy recommendations -
everybody should read & review. <br>
<br>
Thomas has a question about revocation? a revocation message from
the AS to the TA?<br>
<br>
Morteza asks 'why would this be necessary, could it not be handled
by the general OAuth token revocation mechanisms'<br>
<br>
John 'we should specify what should happen about the client
behaviour as to what happens when a token is revoked'<br>
<br>
Thomas - another question is 'the spec allows for immediate
delivery of tokens to secondary apps'. <br>
<br>
Are there privacy implications - Mike V suggests so.<br>
<br>
Likely the privacy issue is possible correlation<br>
<br>
John will edit spec to ensure that an app can ask for tokens for
multiple tokens.<br>
<br>
Thomas suggests that the current MUST about how a TA delivers a
token to the secondary app is too strong. <br>
<br>
John thinks that the MUST should be a SHOULD.<br>
<br>
Thomas thinks this has implications for how the bindings would
work. eg a URL scheme may not guarantee delivery.<br>
<br>
Ashish asks about timelines. Is it relevant to pick a milestone
around RSA time frame?<br>
<br>
Who is attending RSA? Ashish, Mike, Darren.<br>
<br>
John - next relevant milestone would be some sort of interop test.<br>
<br>
Morteza - what about IIW? Aim for some interop.<br>
<br>
Ashish - that implies we freeze the spec at some point in advance
of IIW. lets work in the near term to do so<br>
<br>
Meeting closed</font>
</body>
</html>