...
We discussed the "Allow ID Tokens as RPT" thread. An AS needs to have an identified and authorized RqP. Strictly speaking, does that mean the user needs to be "logged in"? James defines this as having had an interactive authentication experience, which his implementation doesn't require; it all depends on what auth modules have been leveraged. Justin's read of the meaning of "logged in" is broader, just meaning "has an authentication session".
We didn't quite get to the topic of trust elevation extension mechanisms, but this will depend on how the spec text shapes up.
Attendees
As of 23 Jun 2016 (post-meeting), quorum is 6 of 11. (Domenico, Kathleen, Sal, Nagesh, Andi, Robert, Agus, Maciej, Eve, Mike, Sarah)
...