...
Issue 239
The main issue in the extension spec is whether it can coexist with the main spec or whether it "stomps on" the main spec. This likely affects the extension spec title, several instances of language, and the configuration data design – it should probably invent a new endpoint that exists alongside the original endpoint. Coexistence would dictate changing our previous consensus about seeing little reason to deploy the "unenhanced" claims-gathering mechanism. Reasons for coexistence would be backwards compatibility with the existing UMA spec(s), and we still could make arguments for someone having a specialized environment that does claims-gathering and doesn't really need the enhancement. Note that the old endpoint would be marked for eventual deprecation and disabling. An important question is whether it's even possible to not support the old endpoint. George argues for it to be possible for an AS not to support the "old" endpoint on security grounds. And in fact, this could be very clean because you just don't support the "claims-gathering method" as offered by regular UMA.
And now there's a draft non-normative companion doc. Eve's thinking is that all vulnerabilities found in protocols such as this should come with docs like this as a kind of FAQ.
AI: Eve: Ask the WG about one more ad hoc meeting early next week to see about finalizing decisions on spec text so we can close out the issue next week and publish.
Attendees
As of 18 Feb 2016, quorum is 6 of 11. (François, Domenico, Kathleen, Sal, Thomas, Andi, Robert, Maciej, Eve, Mike, Sarah)
...