<div dir="ltr"><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">Date: 20141026</div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">Time: 0900-1130</div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">Location: Googleplex 1950</div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)"><br clear="none"></div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">Attending</div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">=========</div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">Nat Sakimura,</div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">Emily Xu, </div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">Bill Welch, </div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">Marius Scurtescu, </div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">Michael dietz, </div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">David Waite, </div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">David Chase, </div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">William Denniss, </div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">Peter Huang, </div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">Naveen Agarwal,   </div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">George Fletcher,  </div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">Ashish Jain,  </div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)"><br clear="none"></div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">Topics</div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">============</div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">Problem of a bad app registering the same scheme as TA was discussed. </div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">Naveen pointed out that it is easier to phish the user by having an embedded browser and asking username and password, so the TA being impersonated is not a significant risk. </div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)"><br clear="none"></div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">In iOS, TA running in a browser may be safer than an app. </div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">New API opened app does not make it possible to detect who is the calling app so it is not usable for our purpose. </div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)"><br clear="none"></div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">Native Token Agent should be a per-instance confidential client, with OOB confidential credential. </div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)"><br clear="none"></div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">Advantage of using TA is to obtain the info about the calling app. </div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)"><br></div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">Different approach needed for platforms. </div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)"><br></div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">iOS                    Android</div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">-----------        ----------------------</div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">code                    AT</div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">id_tokein             id_token</div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">3rd Party code      ditto</div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">  (for server)</div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)"><br></div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">Basic setup would return code, id_token, 3rd Party code. </div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">With additional condition met, it could return AT. </div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)"><br></div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">Airwatch example discussed: it is intra-app communication. </div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)"><br></div><ul style="margin:0.2857em 0px 0.714285em 2em;padding:0px;border:0px;line-height:1.571428em;list-style-position:outside;color:rgb(55,55,55);font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px"><li style="margin:0px;padding:0px;border:0px;line-height:1.571428em">Browser way</li><li style="margin:0px;padding:0px;border:0px;line-height:1.571428em">iOS Native App way</li><li style="margin:0px;padding:0px;border:0px;line-height:1.571428em">Android Native App way<br></li></ul><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">Some extension to response of OpenID Connect perhaps. </div><div style="margin:0px;padding:0px;border:0px;line-height:1.571428em;font-family:gotham,Helvetica,Arial,'Droid Sans',sans-serif;font-size:14.3999996185303px;color:rgb(55,55,55)">Google does check the registration of custom scheme against existing protocols and other schemes. </div><div><br></div>-- <br>Nat Sakimura (=nat)<div>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div>
</div>