<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi Mike,<br>
<br>
here are my review comments:<br>
<br>
section 2<br>
<br>
PPID and openid2_realm:<br>
"If PPID was used to obtain the OpenID 2.0 Identifier" - How is the
RP supposed to know/find out whether the OP issued a PPID or a
universal/global OpenID? I would rather suggest to make this a
mandatory parameter, the RP must know its OpenID 2.0 realm anyway.<br>
<br>
"If the value of openid2_id is an XRI [XRI_Syntax_2.0], the
mechanism for verifying the iss in the ID Token is still TBD" - Do
you want to determine this before the spec is published? If not I
would suggest to replace the TBD by "... is out of scope for this
specification."<br>
<br>
"There could be an attack by a malicious RP to obtain the user’s
PPID for another RP to perform identity correlation. To mitigate the
risk, the OP MUST verify that the realm and RP’s Redirect URI
matches as per Section 9.2 of OpenID 2.0 [OpenID.2.0]."<br>
<br>
section 3<br>
<br>
I'm not sure what this means. Does it mean the RP's XRDS document
must contain the RP’s Redirect URI (a OAuth/OIDC redirect_uri)? If
so, is the RP supposed to use a certain service Type or
<a class="moz-txt-link-rfc2396E" href="http://specs.openid.net/auth/2.0/return_to">"http://specs.openid.net/auth/2.0/return_to"</a>?<br>
<br>
Example:<br>
<Service xmlns="xri://$xrd*($v*2.0)"><br>
<Type><a class="moz-txt-link-freetext" href="http://specs.openid.net/auth/2.0/return_to">http://specs.openid.net/auth/2.0/return_to</a></Type><br>
<URI><a class="moz-txt-link-freetext" href="http://consumer.example.com/return">http://consumer.example.com/return</a></URI><br>
</Service><br>
<br>
section 4.1.2<br>
<br>
"If a corresponding OpenID 2.0 Identifier is not found for the
authenticated user, the openid2_id claim in the ID Token MUST have
the value NOT FOUND." I assume the value must be "NOT FOUND"?<br>
<br>
section 6<br>
<br>
step 2<br>
"... The server SHOULD return a JSON with iss ..." Why not MUST?
Otherwise the RP cannot verify whether the OP OP is Authoritative.<br>
<br>
step 3<br>
"If the openid2_id does not start with http or https, it is an XRI
[XRI_Syntax_2.0]. In this case, the RP needs to construct the
verification URI by concatenating <a class="moz-txt-link-freetext" href="https://xri.net/">https://xri.net/</a>, the value of the
openid2_id claim, and /(+openid_iss). Requesting the resulting URI
with GET will result in a series of HTTP 302 redirects. The RP MUST
follow the redirects until HTTP status code 200 OK comes back. The
URI that resulted in 200 OK is the authoritative issuer for the XRI.
This URI MUST exactly match the iss in the ID Token except for the
potential trailing slash (/) character."<br>
<br>
Doesn't this contradict the note regarding XRI in section 2 (TBD)?<br>
<br>
section 8.1<br>
<br>
"This standard allows the RP to verify the authenticity of the
OpenID 2.0 Identifier through ID Token even after the OpenID 2.0 OP
is taken down. To enable this, the OP MUST publish the public keys
that were used to sign the ID Token with openid2_id claim at the URI
that this OpenID 2.0 Identifier points to."<br>
<br>
Where is the relation between the openid2 identifier and the OP's
public keys? Public keys are nowhere else mentioned in this spec.<br>
<br>
best regards,<br>
Torsten.<br>
<br>
<div class="moz-cite-prefix">Am 17.09.2014 03:10, schrieb Mike
Jones:<br>
</div>
<blockquote
cite="mid:4E1F6AAD24975D4BA5B16804296739439AED4EBF@TK5EX14MBXC292.redmond.corp.microsoft.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle18
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1763716381;
mso-list-type:hybrid;
mso-list-template-ids:448301048 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">The OpenID Connect Working Group recommends
approval of the following specification as an OpenID
Implementer’s Draft:<o:p></o:p></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l0 level1 lfo2"><!--[if !supportLists]--><span
style="font-family:Symbol"><span style="mso-list:Ignore">·<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><a
moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-migration-1_0-06.html">OpenID
2.0 to OpenID Connect Migration 1.0</a> – Defines how to
migrate from OpenID 2.0 to OpenID Connect<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">An Implementer’s Draft is a stable version
of a specification providing intellectual property protections
to implementers of the specification. This note starts the 45
day public review period for the specification drafts in
accordance with the OpenID Foundation IPR policies and
procedures. This review period will end on Friday, October
31, 2014. Unless issues are identified during the review that
the working group believes must be addressed by revising the
drafts, this review period will be followed by a seven day
voting period during which OpenID Foundation members will vote
on whether to approve these drafts as OpenID Implementer’s
Drafts. For the convenience of members, voting may begin up to
two weeks before October 31<sup>st</sup>, with the voting
period still ending on Friday, November 7, 2014.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This specification is available at:<o:p></o:p></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l0 level1 lfo2"><!--[if !supportLists]--><span
style="font-family:Symbol"><span style="mso-list:Ignore">·<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><a
moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-migration-1_0-06.html">http://openid.net/specs/openid-connect-migration-1_0-06.html</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">A description of OpenID Connect can be
found at <a moz-do-not-send="true"
href="http://openid.net/connect/">
http://openid.net/connect/</a>. The working group page is <a
moz-do-not-send="true" href="http://openid.net/wg/connect/">
http://openid.net/wg/connect/</a>. Information on joining
the OpenID Foundation can be found at
<a moz-do-not-send="true"
href="https://openid.net/foundation/members/registration">https://openid.net/foundation/members/registration</a>.
If you’re not a current OpenID Foundation member, please
consider joining to participate in the approval vote.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">You can send feedback on the specifications
in a way that enables the working group to act upon your
feedback by (1) signing the contribution agreement at
<a moz-do-not-send="true"
href="http://openid.net/intellectual-property/">http://openid.net/intellectual-property/</a>
to join the working group (please specify that you are joining
the “AB+Connect” working group on your contribution
agreement), (2) joining the working group mailing list at <a
moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>,
and (3) sending your feedback to the list.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">-- Michael B. Jones – OpenID Foundation
Board Secretary<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">(This notice has also been posted at <a
moz-do-not-send="true"
href="http://openid.net/2014/09/16/review-of-proposed-implementers-draft-of-openid-2-0-to-openid-connect-migration-specification/">http://openid.net/2014/09/16/review-of-proposed-implementers-draft-of-openid-2-0-to-openid-connect-migration-specification/</a>.)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
specs mailing list
<a class="moz-txt-link-abbreviated" href="mailto:specs@lists.openid.net">specs@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs">http://lists.openid.net/mailman/listinfo/openid-specs</a>
</pre>
</blockquote>
<br>
</body>
</html>