Attendees

• ChrisMessina, BlaineCook, IanMcKeller, LeahCulver, Coda, MarcHedlund, KellanElliotMcCrea, Rabble
• joining by phone: AndySmith, EranHammer-Lahav

Goals

1. review draft
2. interop/code

Notes

• diff 107 to trunk
• need best practices for web site...
  • include mobile stuff... callback URLs
• be sure to call out that oauth spec is in UTF-8
• best practice for nonce + timestamp
• EHL doesn't like timestamps plus nonces being used as parameters
• removed: The Service Provider MAY include two machine-readable tags in its human-readable instructions to the User. If included, both tags MUST be added in the element of the HTML document:

<meta name=\"oauth_result\" content=\"true\" />
<meta name=\"oauth_token\" content=\"request_token\" />

• PKI/RSA coming later ... extensions may come later...
• do generic stuff and then specific signing algorithms, besides plaintext... call out plaintext separately as extension...
• treat all parameters as equal... add oauth_signature ... don't specify
• we'll leave sig stuff and email eran the stuff we want for sig...
• md5 is an extension outside of spec like PKI, SOAP header...
• marc will go through and make sure that we can write tests for every MUST or SHOULD
• marc will write security considerations document... should this be part of spec?
• termie, PHP... leah, python... blaine, ruby... aaron straupe cope, perl... need can has code review?
• blaine's code will lead to ruby plugin...