...
- Mark Lizar
Minutes
New AI summary
...
- Eve to turn Paul's "claims 2.0" proposal into a draft spec.
...
- TomH to revise the tax scenario for inclusion in the Scenarios document.
Roll call
Quorum was reached.
...
Motion to accept Paul's recommendation on protocol issue on refresh token issue ACCEPTEDtokens APPROVED.
Signing issue
Eve floated an idea she'd heard where (describing it in OAuth terms) a singular authorization/resource server issues credentials to a client, good for use only at that server, that must be used to sign the access token (or, at least, sign something in the access-request message – doesn't have to be the whole message since it's not for integrity-in-transit purposes) when it's presented to the resource server. This seems to be somehow related to both (a) the OAuth redelegation proposals (Vrancken, Twitter OAuth Echo) that have been floating around and (b) the "third signing use case", where the point is to have more-specific identification of the client.
...