<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<base href="x-msg://50/">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.apple-style-span
{mso-style-name:apple-style-span;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple style='word-wrap: break-word;
-webkit-nbsp-mode: space;-webkit-line-break: after-white-space'>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>John,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>For a while, I was rather reluctant to support checkid_immediate
simply because of the log-off issue. For that to work, then one obviously
had to have some notion of being “logged on” at the OP. So, I
thought about it for a while… and all of the issues you raise are valid.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>What I decided to do (as I described) seemed to be the simplest
approach and that made the most sense to me. I would not, for example, want the
action of logging out of Facebook to log me off of Slashdot. So, I
preferred to go with your option (a).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I clearly had no way to do (b) or (c) anyway, but I would not
want that behavior. With the model I am using, users would have to be
told where to go log off the OP, which is why I made that location the same as
the ID used to log in. That seemed most logical. Still, it does
concern me to some extent that people might forget to go log off and stay
logged into the OP. One can then close the browser and walk away.
Somebody else can come to the browser and type <a href="http://www.facebook.com">www.facebook.com</a>
and they’re automatically logged in (thanks to checkid_immediate).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>So, I’d say the option to remain logged in and to respond
positively to checkid_immediate should be considered carefully. It’s
a nice feature to have if users understand it. It’s just not clear
that they would.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Paul<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> John Bradley
[mailto:john.bradley@wingaa.com] <br>
<b>Sent:</b> Monday, May 24, 2010 12:04 AM<br>
<b>To:</b> Paul E. Jones<br>
<b>Cc:</b> 'Dick Hardt'; 'OpenID Specs Mailing List'<br>
<b>Subject:</b> Re: OpenID v.Next Core Protocol Charter<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>That is a reasonable approach and can be done within the
existing spec by best practices if OPs support checkID immediate. <o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>the problem tends to be the scope of a logout button at the
RP. <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Should that:<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>a) only log the user out of the RP<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>b) The RP + the OP<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>c) The OP + all RP the user is logged into.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>SAML has two methods for c using front channel using
http redirects. This is unreliable because users tend to close browsers
and this results in a unpredictable state. The other is to use a back
channel approach where the OP directly messages each RP that the user has
logged out. It works better but is more complicated.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>A better approach would be for session cookies to be easily
identifiable in the browser and give the user a reasonable UI for removing
them.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>That would be protocol independent.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Some RP are also hesitant to allow a 3rd party that is not
the IdP to initiate the users logout.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>What is Facebook could send a message logging out users from
Google and Microsoft without the users consent?<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>SLO has traditionally been part of federations where it is
covered by legal agreements.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>The hardest part is getting the user to understand what is
happening at a logout button. Login is much simpler conceptually.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>I will have a look at your draft.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>My option B may be something that we might want to scope
however many large IdP don't want users to ever logout.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>The complexities in SLO are more to do with user experience
and politics than technology.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>I am OK with taking it on if there is a desire, but it
should not block other progress.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>John B.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<div>
<p class=MsoNormal>On 2010-05-23, at 8:18 PM, Paul E. Jones wrote:<o:p></o:p></p>
</div>
<p class=MsoNormal><br>
<br>
<o:p></o:p></p>
<div>
<div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>John,</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>What I did on my own server is, when I log in, I have a
check-box that asks whether I want to stay logged in all the time. If I
check that box, I return a cookie (over TLS) with a 30-day duration. When
I visit an OpenID-enabled site and enter my ID, I don’t get prompted for
a password. Rather, the browser passes the cookie (again over TLS) and
logs me in automatically. It also updates the TTL on the cookie. In
effect, I stay logged in all the time.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>If I visit my OpenID URL, the server sees that I’m logged
in and puts a “log off” button on the page. I can click that
and the browser cookies get deleted and the server deletes the associated data.
This works pretty well as a means of logging off. However, one still has
to remember to log off from each application that might also utilize cookies to
keep you logged in. If web sites only used session cookies with a
relatively short TTL and OPs used cookies like I do, then clicking “log
off” on the user’s OpenID page and the closing the browser should
effectively serve as a log off for all applications.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>It does make use of “cookies” and some people feel
cookies are terribly evil, but for managing session state (i.e., associating
users with browser), it seems to be a fairly reasonable solution –
especially if the cookies are secure. TLS provides that, though we need
something better for HTTP. I wrote a draft for that, but it’s not
moved too far in the IETF (yet):</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><a
href="http://tools.ietf.org/html/draft-salgueiro-secure-state-management">http://tools.ietf.org/html/draft-salgueiro-secure-state-management</a></span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Paul</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
</div>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt;
border-width:initial;border-color:initial'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in;
border-width:initial;border-color:initial'>
<div>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
class=apple-converted-space><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> </span></span><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><a
href="mailto:openid-specs-bounces@lists.openid.net">openid-specs-bounces@lists.openid.net</a><span
class=apple-converted-space> </span>[mailto:openid-specs-bounces@lists.openid.net]<span
class=apple-converted-space> </span><b>On Behalf Of<span
class=apple-converted-space> </span></b>John Bradley<br>
<b>Sent:</b><span class=apple-converted-space> </span>Saturday, May 22,
2010 12:58 PM<br>
<b>To:</b><span class=apple-converted-space> </span>Dick Hardt<br>
<b>Cc:</b><span class=apple-converted-space> </span>OpenID Specs Mailing
List<br>
<b>Subject:</b><span class=apple-converted-space> </span>Re: OpenID v.Next
Core Protocol Charter</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>Single logout is notoriously difficult to get correct.
SAML has never managed it. <o:p></o:p></p>
</div>
<div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal>I support looking at it as a option or extension, but would
not want to hold up the core spec for it.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal>Other protocols have expended large amounts of time on it
without a solution that can be understood by the users properly.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal>John B.<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=MsoNormal>On 2010-05-22, at 8:47 AM, Dick Hardt wrote:<o:p></o:p></p>
</div>
</div>
<div>
<p class=MsoNormal><br>
<br>
<br>
<o:p></o:p></p>
</div>
<div>
<div>
<p class=MsoNormal>Great point Torsten. If there is interest in exploring
single logout, then it likely belongs in this WG.<o:p></o:p></p>
</div>
<div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal>Are others interested in exploring single logout?<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal>-- Dick<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=MsoNormal>On 2010-05-22, at 2:30 AM, Torsten Lodderstedt wrote:<o:p></o:p></p>
</div>
</div>
<div>
<p class=MsoNormal><br>
<br>
<br>
<o:p></o:p></p>
</div>
<div>
<div>
<p class=MsoNormal>does this or another group consider to incorporate some kind
of single logout support into OpenId?<br>
<br>
regards,<br>
Torsten.<br>
<br>
<br>
<br>
<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>At IIW yesterday I held a session on bashing the OpenID
v.Nest Core Protocol Charter. Below is the current draft. Comments and/or
questions welcome. Anyone interested in being a fellow proposer please let me
know and I will add you.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>-- Dick<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><b>(a) <span class=apple-converted-space> </span><i><u>Charter</u></i>.</b><o:p></o:p></p>
</div>
<p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
2.0pt;margin-left:.5in;text-indent:-27.0pt'><b>(i)</b> <span
class=apple-converted-space> </span><b>WG name:</b> OpenID v.Next
Core Protocol.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
2.0pt;margin-left:.5in;text-indent:-27.0pt'><b>(ii)</b> <span
class=apple-converted-space> </span><b>Purpose:</b> Produce a core
protocol specification or family of specifications for OpenID v.Next that
address the limitations and drawbacks present in the OpenID 2.0 that limit
OpenID’s applicability, adoption, usability, privacy, and security.
Specific goals are:<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:5.0pt;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> <span
class=apple-converted-space> </span></span>define message flows and
verification methods,<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:5.0pt;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> <span
class=apple-converted-space> </span></span>enable support for controlled
release of attributes,<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:5.0pt;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> <span
class=apple-converted-space> </span></span>enable aggregation of
attributes from multiple verifiable sources,<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:5.0pt;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> <span
class=apple-converted-space> </span></span>enable support for a spectrum
of clients, including passive clients per current usage, thin active clients,
and active clients with OP functionality,<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:5.0pt;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> <span
class=apple-converted-space> </span></span>enable authentication to and
use of attributes by non-browser applications,<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:5.0pt;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> <span
class=apple-converted-space> </span></span>enable the use of public key
technology to enhance scalability and performance,<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:5.0pt;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> <span
class=apple-converted-space> </span></span>enable optimized protocol flows
combining authentication, attribute release, and resource authorization,<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:5.0pt;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> <span
class=apple-converted-space> </span></span>define profiles and support
features intended to enable OpenID to be used at levels of assurance higher
than NIST SP800-63 v2 level 1 ,<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:5.0pt;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> <span
class=apple-converted-space> </span></span>define an extension mechanism<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:5.0pt;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> <span
class=apple-converted-space> </span></span>ensure the use of OpenID on
mobile devices,<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:5.0pt;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> <span
class=apple-converted-space> </span></span>ensure the use of OpenID on
existing browsers with URL length restrictions,<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:5.0pt;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> <span
class=apple-converted-space> </span></span>complement OAuth 2.0<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:5.0pt;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> <span
class=apple-converted-space> </span></span>minimize migration effort from
OpenID 2.0<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:5.0pt;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> <span
class=apple-converted-space> </span></span>seamlessly integrate with and
complement the other OpenID v.Next specifications.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
2.0pt;margin-left:.5in;text-indent:-27.0pt'>
Compatibility with OpenID 2.0 is an explicit non-goal for this work.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
2.0pt;margin-left:.5in;text-indent:-27.0pt'><b>(iii)</b> <span
class=apple-converted-space> </span><b>Scope:</b> Produce a next
generation OpenID core protocol specification or specifications, consistent
with the purpose statement.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
2.0pt;margin-left:.5in;text-indent:-27.0pt'><b>(iv)</b> <span
class=apple-converted-space> </span><b>Proposed List of Specifications</b>:
OpenID v.Next Core Protocol and possibly related specifications.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
2.0pt;margin-left:.5in;text-indent:-27.0pt'><b>(v)</b> <span
class=apple-converted-space> </span><b>Anticipated audience or users of
the work:</b> Implementers of OpenID Providers, Relying Parties, Active
Clients, and non-browser applications utilizing OpenID.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
2.0pt;margin-left:.5in;text-indent:-27.0pt'><b>(vi)</b> <span
class=apple-converted-space> </span><b>Language in which the WG will
conduct business</b>: English.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
2.0pt;margin-left:.5in;text-indent:-27.0pt'><b>(vii)</b> <span
class=apple-converted-space> </span><b>Method of work: <span
class=apple-converted-space> </span></b>E-mail discussions on the working
group mailing list, working group conference calls, and face-to-face meetings
at the Internet Identity Workshop and OpenID summits.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
2.0pt;margin-left:.5in;text-indent:-27.0pt'><b>(viii)</b> <span
class=apple-converted-space> </span><b>Basis for determining when the work
of the WG is completed:</b> Work will not be deemed to be complete until
there is a consensus that the resulting protocol specification or family of
specifications fulfills the working group goals. Additional proposed
changes beyond that initial consensus will be evaluated on the basis of whether
they increase or decrease consensus within the working group. The work
will be completed once it is apparent that maximal consensus on the draft has
been achieved, consistent with the purpose and scope.<o:p></o:p></p>
<div>
<p class=MsoNormal><b>(b) <span class=apple-converted-space> </span><i><u>Background
Information</u></i>.</b><o:p></o:p></p>
</div>
<p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
2.0pt;margin-left:.5in;text-indent:-27.0pt'><b>(i)</b> <span
class=apple-converted-space> </span><b>Related work being done in other
WGs or organizations</b>: OpenID Authentication 2.0 and related
specifications, including Attribute Exchange (AX), Contract Exchange (CX),
Provider Authentication Policy Extension (PAPE), and the draft User Interface
(UI) Extension. OAuth, OAuth WRAP, and OAuth 2.0. OpenID Connect
proposal. SAML 2.0 Core and SAML Authn Context.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
2.0pt;margin-left:.5in;text-indent:-27.0pt'><b>(ii)</b> <span
class=apple-converted-space> </span><b>Proposers:</b><o:p></o:p></p>
<div style='margin-left:.5in'>
<p class=MsoNormal>Dick Hardt,<span class=apple-converted-space> </span><a
href="mailto:dick.hardt@gmail.com">dick.hardt@gmail.com</a><span
class=apple-converted-space> </span>(chair)<o:p></o:p></p>
</div>
<div style='margin-left:.5in'>
<p class=MsoNormal>Michael B. Jones,<span class=apple-converted-space> </span><a
href="mailto:mbj@microsoft.com">mbj@microsoft.com</a><o:p></o:p></p>
</div>
<div style='margin-left:.5in'>
<p class=MsoNormal>Breno de Medeiros,<span class=apple-converted-space> </span><a
href="mailto:breno@google.com">breno@google.com</a><o:p></o:p></p>
</div>
<div style='margin-left:.5in'>
<p class=MsoNormal>Ashish Jain,<span class=apple-converted-space> </span><a
href="mailto:Ashish.Jain@paypal.com">Ashish.Jain@paypal.com</a><o:p></o:p></p>
</div>
<div style='margin-left:.5in'>
<p class=MsoNormal>George Fletcher,<span class=apple-converted-space> </span><a
href="mailto:gffletch@aol.com">gffletch@aol.com</a><o:p></o:p></p>
</div>
<p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
2.0pt;margin-left:.5in;text-indent:-27.0pt'><b> (iii)</b> <span
class=apple-converted-space> </span><b>Anticipated Contributions</b>:
None.<o:p></o:p></p>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<pre> <o:p></o:p></pre><pre>_______________________________________________<o:p></o:p></pre><pre>specs mailing list<o:p></o:p></pre><pre><a
href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><o:p></o:p></pre><pre><a
href="http://lists.openid.net/mailman/listinfo/openid-specs">http://lists.openid.net/mailman/listinfo/openid-specs</a><o:p></o:p></pre><pre> <o:p></o:p></pre>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class=MsoNormal>_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs">http://lists.openid.net/mailman/listinfo/openid-specs</a><o:p></o:p></p>
</div>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</div>
</body>
</html>