Wiki

Call Stats

Roll http://hg.openid.net/heart/wiki/Roll_Call

12 on the call 11 IP/ 1 observers

Total IP - 31 Listserv count - 110

Profile review:

Source: https://bitbucket.org/openid/heart/src

Rendered versions : http://openid.bitbucket.org/HEART/

Only checking in source xml and a manual process to do the rendering. That means there will be a Lag between versions.

Contributions on GIT- simple to create a fork and crate a poll request then pull in. Contribute text by posting to the list. Text to list preferred so we have written record and give opportunity for others to chime in

Some highlights of the discussion:

Private key jwt for all calls
Every heart member must have a key and available by either registering directly or publishing on accessible website.
Registration – must register keys
Need to develop good experience guidelines for dynamic registration – so User is aware – vs. vetted app by doctor
Must support revocation
Must provide bearer token in auth header when talking to protect resource - may support other 2 methods. This gives client developers a baseline and know what to expect.
Feature inherited from the VA profile - can authenticate to protected resource – more than shared client secret methods. This might get pulled out to an extension.
Public clients must have access to keying registration
General sentiment – need a baseline required dynamic registration but does not mean you have to allow access to all services.
OIDC profile :
ID token key to protocol.
HEART decidedly a tighter security domain. Tokens signed in all case – must be signed by public key
Use servers key set that client can discover
Issuer field – lock down the fields tighter
Requiring support userinfo OIDC scope and subject claim – minimum
Mandate support for JOSE signed respond
Have keys – can be encrypted.
Send via request parameter – signed – way for implicit clients to authenticate themselves. May want to add this to OAUTH profile as well
Server must be able to process all options in profile - client gets to select