<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <font face="Arial">Hi Tony, not sure I understand your point.<br>
      <br>
      Are you saying that we (the proposers of the new WG) *technically*
      needn't account for feedback such as Torsten's in this review
      cycle?<br>
      <br>
      Paul<br>
      <br>
    </font>
    <div class="moz-cite-prefix">On 7/2/13 1:03 PM, Anthony Nadalin
      wrote:<br>
    </div>
    <blockquote
cite="mid:e0ba0360ae0d4401a7559c81b992859a@BY2PR03MB189.namprd03.prod.outlook.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <meta name="Generator" content="Microsoft Word 15 (filtered
        medium)">
      <!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
      <style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Consolas;
        panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";
        color:black;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";
        color:black;}
span.hoenzb
        {mso-style-name:hoenzb;}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:Consolas;
        color:black;}
span.EmailStyle20
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Since
            this is slated to be an OpenID WG, it’s what the WG wants to
            do.<o:p></o:p></span></p>
        <p class="MsoNormal"><a moz-do-not-send="true"
            name="_MailEndCompose"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></a></p>
        <div>
          <div style="border:none;border-top:solid #E1E1E1
            1.0pt;padding:3.0pt 0in 0in 0in">
            <p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext">
                <a class="moz-txt-link-abbreviated" href="mailto:openid-specs-bounces@lists.openid.net">openid-specs-bounces@lists.openid.net</a>
                [<a class="moz-txt-link-freetext" href="mailto:openid-specs-bounces@lists.openid.net">mailto:openid-specs-bounces@lists.openid.net</a>]
                <b>On Behalf Of </b>Torsten Lodderstedt<br>
                <b>Sent:</b> Tuesday, July 2, 2013 9:53 AM<br>
                <b>To:</b> Paul Madsen<br>
                <b>Cc:</b> John Bradley; <a class="moz-txt-link-abbreviated" href="mailto:ashishjain@vmware.com">ashishjain@vmware.com</a>;
                <a class="moz-txt-link-abbreviated" href="mailto:openid-specs@lists.openid.net">openid-specs@lists.openid.net</a><br>
                <b>Subject:</b> Re: Native application SSO Working Group<o:p></o:p></span></p>
          </div>
        </div>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal" style="margin-bottom:12.0pt">Hi Paul,<br>
          <br>
          got it :-) Would it make sense to add this assumption to the
          charter? <br>
          <br>
          Does this mean:<br>
          - a single AZA manages access to multiple authz servers?<br>
          - an app needs to be able to register its authz server/idp at
          the AZA?<br>
          <br>
          Thanks,<br>
          Torsten.<o:p></o:p></p>
        <div>
          <p class="MsoNormal"><br>
            <br>
            Paul Madsen <<a moz-do-not-send="true"
              href="mailto:pmadsen@pingidentity.com">pmadsen@pingidentity.com</a>>
            schrieb:<o:p></o:p></p>
          <blockquote style="border:none;border-left:solid #CCCCCC
            1.0pt;padding:0in 0in 0in
            6.0pt;margin-left:4.8pt;margin-right:0in">
            <p class="MsoNormal" style="margin-bottom:12.0pt"><span
                style="font-family:"Arial","sans-serif"">Hi
                Torsten, wrt the possibility of an id_token being used
                against a 'home' IdP, the current model is that it would
                be the AZA that would perform this exchange</span>, not
              the native app itself - this because the overarching
              assumption being that the AZA should do as much of the
              heavy lifting as possible - and thereby simplify life for
              the native apps.<br>
              <br>
              But that is separate I think from the use case of an
              native app wanting to consume an id_token directly (for
              access control, customization etc) and so i will look at
              charter to make sure this scenario is supported.<br>
              <br>
              paul<br>
              <br>
              <o:p></o:p></p>
            <div>
              <p class="MsoNormal">On 7/2/13 11:31 AM, Torsten
                Lodderstedt wrote:<o:p></o:p></p>
            </div>
            <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
              <p class="MsoNormal" style="margin-bottom:12.0pt">Hi,<br>
                <br>
                I agree with Nat on this use case. Another one is that
                the app wants to use the id_token as credential on its
                "home" IDP (probably via JWT bearer token profile). This
                is more or less 3rd party login for apps.<br>
                <br>
                regards,<br>
                Torsten.<o:p></o:p></p>
              <div>
                <p class="MsoNormal"><br>
                  <br>
                  Nat Sakimura <a moz-do-not-send="true"
                    href="mailto:sakimura@gmail.com"><sakimura@gmail.com></a>
                  schrieb:
                  <o:p></o:p></p>
                <blockquote style="border:none;border-left:solid #CCCCCC
                  1.0pt;padding:0in 0in 0in
                  6.0pt;margin-left:4.8pt;margin-right:0in">
                  <div>
                    <p class="MsoNormal">Yes. If the app wants the
                      identity information to evaluate its own access
                      control, then it would probably want to know about
                      the user identity (i.e., set of attributes related
                      to the entity), and id_token is the right thing. 
                      <o:p></o:p></p>
                    <div>
                      <p class="MsoNormal"><o:p> </o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal">When I was talking to some
                        law enforcement people in EU, they were talking
                        similar things. Right now, we do not have any
                        location data defined in the claims, but we may
                        also want to do so in such cases. <o:p></o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal"><o:p> </o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal">Nat<o:p></o:p></p>
                    </div>
                  </div>
                  <div>
                    <p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
                    <div>
                      <p class="MsoNormal">2013/7/3 Paul Madsen <<a
                          moz-do-not-send="true"
                          href="mailto:paulmadsen@rogers.com"
                          target="_blank">paulmadsen@rogers.com</a>><o:p></o:p></p>
                      <blockquote style="border:none;border-left:solid
                        #CCCCCC 1.0pt;padding:0in 0in 0in
                        6.0pt;margin-left:4.8pt;margin-right:0in">
                        <div>
                          <p class="MsoNormal"><span
                              style="font-family:"Arial","sans-serif"">Hi
                              Nat, the current AZA model does not
                              preclude an access token being formatted
                              as an id_token.<br>
                              <br>
                              I believe Torsten was conjecturing that
                              there was potential value in an id_token
                              being delivered to a native app in
                              addition to an access token (whether
                              formatted as id_token or not)<br>
                              <br>
                              Regards</span><span
style="font-family:"Arial","sans-serif";color:#888888"><br>
                              <br>
                              <span class="hoenzb">paul</span><br>
                              <span class="hoenzb"> </span></span> <o:p></o:p></p>
                          <div>
                            <div>
                              <p class="MsoNormal"><o:p> </o:p></p>
                              <div>
                                <p class="MsoNormal">On 7/2/13 10:53 AM,
                                  Nat Sakimura wrote:<o:p></o:p></p>
                              </div>
                              <blockquote
                                style="margin-top:5.0pt;margin-bottom:5.0pt">
                                <div>
                                  <p class="MsoNormal">I actually do see
                                    some utility in the access token in
                                    the format of ID Token. 
                                    <o:p></o:p></p>
                                  <div>
                                    <p class="MsoNormal">It can give
                                      appropriate audience restriction
                                      etc. <o:p></o:p></p>
                                  </div>
                                </div>
                                <div>
                                  <p class="MsoNormal"
                                    style="margin-bottom:12.0pt"><o:p> </o:p></p>
                                  <div>
                                    <p class="MsoNormal">2013/7/2 Paul
                                      Madsen <<a
                                        moz-do-not-send="true"
                                        href="mailto:paulmadsen@rogers.com"
                                        target="_blank">paulmadsen@rogers.com</a>><o:p></o:p></p>
                                    <blockquote
                                      style="border:none;border-left:solid
                                      #CCCCCC 1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-right:0in">
                                      <div>
                                        <p class="MsoNormal"
                                          style="margin-bottom:12.0pt"><span
style="font-family:"Arial","sans-serif"">Hi Torsten,
                                            the current model is that
                                            the Authorization Agent
                                            (AZA) may itself obtain an
                                            id_token and use it to
                                            obtain an access token, but
                                            that only access tokens
                                            would be 'handed over' by
                                            the AZA to its constituent
                                            native apps.<br>
                                            <br>
                                            Are you proposing that there
                                            may be value in allowing the
                                            AZA to also hand over
                                            id_tokens (suitably
                                            targeted) as well?<br>
                                            <br>
                                            paul</span><o:p></o:p></p>
                                        <div>
                                          <div>
                                            <div>
                                              <p class="MsoNormal">On
                                                7/1/13 1:38 PM, Torsten
                                                Lodderstedt wrote:<o:p></o:p></p>
                                            </div>
                                          </div>
                                        </div>
                                        <blockquote
                                          style="margin-top:5.0pt;margin-bottom:5.0pt">
                                          <div>
                                            <div>
                                              <p class="MsoNormal">Hi
                                                John,<br>
                                                <br>
                                                I interpreted the text
                                                of the charter the other
                                                way around, so a client
                                                would be able to use
                                                an(y) id_token (as a
                                                credential) to obtain an
                                                access token. I'm fine
                                                if the mechanism is
                                                intended to support
                                                id_token issuance.<br>
                                                <br>
                                                regards,<br>
                                                Torsten.<br>
                                                <br>
                                                 Am 01.07.2013 15:06,
                                                schrieb John Bradley:<br>
                                                <br>
                                                <o:p></o:p></p>
                                              <blockquote
                                                style="margin-top:5.0pt;margin-bottom:5.0pt">
                                                <p class="MsoNormal">Hi
                                                  Torsten, <o:p></o:p></p>
                                                <div>
                                                  <p class="MsoNormal"><o:p> </o:p></p>
                                                </div>
                                                <div>
                                                  <p class="MsoNormal">In
                                                    point 3 the charter
                                                    talks about using
                                                    id_tokens to get
                                                    access tokens.<o:p></o:p></p>
                                                </div>
                                                <div>
                                                  <p class="MsoNormal"><o:p> </o:p></p>
                                                </div>
                                                <div>
                                                  <p class="MsoNormal">So
                                                    it is imagined that
                                                    the mechanism would
                                                    issue id_tokens
                                                    likely along the
                                                    lines that Google is
                                                    doing for the play
                                                    store by having a
                                                    3rd party as an
                                                    audience and using
                                                    "azp" to indicate
                                                    the client the token
                                                    was issued to.   We
                                                    don't want to be too
                                                    specific on the
                                                    solution in the
                                                    charter.<o:p></o:p></p>
                                                </div>
                                                <div>
                                                  <p class="MsoNormal"><o:p> </o:p></p>
                                                </div>
                                                <div>
                                                  <p class="MsoNormal">If
                                                    you think something
                                                    needs to be added
                                                    let me know.<o:p></o:p></p>
                                                </div>
                                                <div>
                                                  <p class="MsoNormal"><o:p> </o:p></p>
                                                </div>
                                                <div>
                                                  <p class="MsoNormal">John
                                                    B.<o:p></o:p></p>
                                                </div>
                                                <div>
                                                  <p class="MsoNormal"><o:p> </o:p></p>
                                                </div>
                                                <div>
                                                  <div>
                                                    <div>
                                                      <p
                                                        class="MsoNormal">On
                                                        2013-07-01, at
                                                        2:17 AM, Torsten
                                                        Lodderstedt <<a
moz-do-not-send="true" href="mailto:torsten@lodderstedt.net"
                                                          target="_blank">torsten@lodderstedt.net</a>>
                                                        wrote:<o:p></o:p></p>
                                                    </div>
                                                    <p class="MsoNormal"><br>
                                                      <br>
                                                      <o:p></o:p></p>
                                                    <blockquote
                                                      style="margin-top:5.0pt;margin-bottom:5.0pt">
                                                      <p
                                                        class="MsoNormal"
style="margin-bottom:12.0pt">Hi,<br>
                                                        <br>
                                                        it would be
                                                        great to have
                                                        such a mechanism
                                                        across
                                                        platforms!<br>
                                                        <br>
                                                        I'm wondering
                                                        whether the
                                                        mechanism should
                                                        issue id tokens
                                                        as well. Right
                                                        now it seems to
                                                        focus on access
                                                        tokens.<br>
                                                        <br>
                                                        Regards,<br>
                                                        Torsten.<o:p></o:p></p>
                                                      <div>
                                                        <p
                                                          class="MsoNormal"><br>
                                                          <br>
                                                          John Bradley
                                                          <<a
                                                          moz-do-not-send="true"
href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>>
                                                          schrieb:
                                                          <o:p></o:p></p>
                                                        <blockquote
                                                          style="border:none;border-left:solid
                                                          #CCCCCC
                                                          1.0pt;padding:0in
                                                          0in 0in
                                                          6.0pt;margin-left:4.8pt;margin-right:0in">
                                                          <pre style="white-space:pre-wrap;word-wrap:break-word"><span style="font-family:"Arial","sans-serif"">The enclosed Work Group Charter is being sent to the Specs Council for review in anticipation of chartering the Group.<o:p></o:p></span></pre>
                                                          <pre><span style="font-family:"Arial","sans-serif""><o:p> </o:p></span></pre>
                                                          <pre><span style="font-family:"Arial","sans-serif"">It is best have this activity under the foundation IPR as soon as possible.<o:p></o:p></span></pre>
                                                          <pre><span style="font-family:"Arial","sans-serif""><o:p> </o:p></span></pre>
                                                          <pre><span style="font-family:"Arial","sans-serif"">Regards<o:p></o:p></span></pre>
                                                          <pre><span style="font-family:"Arial","sans-serif"">John B.<o:p></o:p></span></pre>
                                                          <pre><span style="font-family:"Arial","sans-serif""><o:p> </o:p></span></pre>
                                                          <pre><span style="font-family:"Arial","sans-serif""><o:p> </o:p></span></pre>
                                                          <div
                                                          style="border:none;border-bottom:solid
                                                          black
                                                          1.0pt;padding:0in
                                                          0in 0in
                                                          0in;margin-top:30.0pt;margin-bottom:12.0pt">
                                                          <p
                                                          class="MsoNormal"><o:p> </o:p></p>
                                                          </div>
                                                          <pre style="text-align:center;white-space:pre-wrap;word-wrap:break-word"><span style="font-family:"Arial","sans-serif""><hr align="center" size="2" width="100%"></span></pre>
                                                          <pre><span style="font-family:"Arial","sans-serif""><o:p> </o:p></span></pre>
                                                          <pre><span style="font-family:"Arial","sans-serif"">specs mailing list<o:p></o:p></span></pre>
                                                          <pre><span style="font-family:"Arial","sans-serif""><a moz-do-not-send="true" href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a><o:p></o:p></span></pre>
                                                          <pre><span style="font-family:"Arial","sans-serif""><a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><o:p></o:p></span></pre>
                                                        </blockquote>
                                                      </div>
                                                    </blockquote>
                                                  </div>
                                                  <p class="MsoNormal"><o:p> </o:p></p>
                                                </div>
                                              </blockquote>
                                              <p class="MsoNormal"><br>
                                                <br>
                                                <br>
                                                <o:p></o:p></p>
                                            </div>
                                          </div>
                                          <pre>_______________________________________________<o:p></o:p></pre>
                                          <pre>specs mailing list<o:p></o:p></pre>
                                          <pre><a moz-do-not-send="true" href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a><o:p></o:p></pre>
                                          <pre><a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><o:p></o:p></pre>
                                        </blockquote>
                                        <p class="MsoNormal"><o:p> </o:p></p>
                                      </div>
                                      <p class="MsoNormal"
                                        style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
                                        specs mailing list<br>
                                        <a moz-do-not-send="true"
                                          href="mailto:specs@lists.openid.net"
                                          target="_blank">specs@lists.openid.net</a><br>
                                        <a moz-do-not-send="true"
                                          href="http://lists.openid.net/mailman/listinfo/openid-specs"
                                          target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><o:p></o:p></p>
                                    </blockquote>
                                  </div>
                                  <p class="MsoNormal"><br>
                                    <br clear="all">
                                    <o:p></o:p></p>
                                  <div>
                                    <p class="MsoNormal"><o:p> </o:p></p>
                                  </div>
                                  <p class="MsoNormal">-- <br>
                                    Nat Sakimura (=nat) <o:p></o:p></p>
                                  <div>
                                    <p class="MsoNormal">Chairman,
                                      OpenID Foundation<br>
                                      <a moz-do-not-send="true"
                                        href="http://nat.sakimura.org/"
                                        target="_blank">http://nat.sakimura.org/</a><br>
                                      @_nat_en<o:p></o:p></p>
                                  </div>
                                </div>
                              </blockquote>
                              <p class="MsoNormal"><o:p> </o:p></p>
                            </div>
                          </div>
                        </div>
                      </blockquote>
                    </div>
                    <p class="MsoNormal"><br>
                      <br clear="all">
                      <o:p></o:p></p>
                    <div>
                      <p class="MsoNormal"><o:p> </o:p></p>
                    </div>
                    <p class="MsoNormal">-- <br>
                      Nat Sakimura (=nat) <o:p></o:p></p>
                    <div>
                      <p class="MsoNormal">Chairman, OpenID Foundation<br>
                        <a moz-do-not-send="true"
                          href="http://nat.sakimura.org/"
                          target="_blank">http://nat.sakimura.org/</a><br>
                        @_nat_en<o:p></o:p></p>
                    </div>
                  </div>
                </blockquote>
              </div>
            </blockquote>
            <p class="MsoNormal"><o:p> </o:p></p>
          </blockquote>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
specs mailing list
<a class="moz-txt-link-abbreviated" href="mailto:specs@lists.openid.net">specs@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs">http://lists.openid.net/mailman/listinfo/openid-specs</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>