OpenID Authentication 2.1

Convener: David Recordon, John B

Notes-taker:	Martin

Attendees: Technology Discussed/Considered: OpenID
 * John Bradley
 * Dan Balfanz
 * Martin Atkins,
 * AxelNennker,
 * Scott Blumquist,
 * Breno de Mediros,
 * Yariv Adam,
 * Jorgen Thelin,
 * Mike Mell,
 * Mike Jones,
 * Jim Pravetz,
 * John Panzer,
 * Alberto Cobas,
 * Brian Eaton,
 * Will Norris,
 * Henrik Biering,
 * David Richards,
 * Raj Mata,
 * Mike Lee,
 * Allan Schiffman,
 * Gabe Wachob,
 * Eran Hammer,
 * Joseph Holsten,
 * Kannan Seshadri

'''Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps: '''

2.0 has been finalized

bunch of implementations

found lots of spec bugs

also gone and done oauth and email addresses and other things. Can we support these in the core spec?


 * Making the spec more readable and fixing bugs (eratta)
 * Delegation
 * Error handling


 * Adding a security appendix
 * could be a separate document referred to by the spec
 * possibly produced by separate group
 * Who controls this security page?
 * Security committee could look after this.
 * or Allen at Yahoo! will be editing a security document


 * Clarifying XRI
 * Currently there's no firm message about whether RPs MUST support XRIs or not.
 * Need to clarify how exactly XRI should be used with OpenID.
 * Similar to the whitelist question.


 * Clarify if RPs can white or blacklist what OPs they accept, and vice-versa.
 * Discovery of type of identifiers an RP supports.


 * Clarifying IRI
 * Updating discovery. Possibly including the new-fangled XRD discovery.
 * Clarifying whether association over SSL must/can use diffie-hellman.
 * Discovery of support of checkid_immediate.

Exploratory work:
 * Signature mechanisms. Looking at additionally supporting the mechanisms defined in OAuth so that they can be closer together.
 * Possibly deprecating the current signature mechanism.
 * Public keys?


 * Email-shaped identifiers for OpenID
 * Could be a separate working group?

There was consensus that email-shaped identifiers would be worked on by a separate group and possibly rolled into 2.1 if it's done in time.
 * Smart/rich clients?
 * Could be in this WG unless it ends up being a big change in which case it could be its own WG.
 * There's another session about this.