[OpenID board] FW: Review of Proposed Errata to OpenID Connect Specifications

Mike Jones Michael.Jones at microsoft.com
Wed Sep 17 01:14:15 UTC 2014

From: Mike Jones
Sent: Tuesday, September 16, 2014 6:11 PM
To: specs at lists.openid.net
Subject: Review of Proposed Errata to OpenID Connect Specifications

The OpenID Connect Working Group recommends the approval of Errata to the following specifications:

*         OpenID Connect Core 1.0<http://openid.net/specs/openid-connect-core-1_0-21.html> - Defines the core OpenID Connect functionality: authentication built on top of OAuth 2.0 and the use of Claims to communicate information about the End-User

*         OpenID Connect Discovery 1.0<http://openid.net/specs/openid-connect-discovery-1_0-24.html> - Defines how Relying Parties dynamically discover information about OpenID Providers

*         OpenID Connect Dynamic Client Registration 1.0<http://openid.net/specs/openid-connect-registration-1_0-27.html> - Defines how Relying Parties dynamically register with OpenID Providers

An Errata version of a specification incorporates corrections identified after the Final Specification was published.  This note starts the 45 day public review period for the specification drafts in accordance with the OpenID Foundation IPR policies and procedures.  This review period will end on Friday, October 31, 2014.  Unless issues are identified during the review that the working group believes must be addressed by revising the drafts, this review period will be followed by a seven day voting period during which OpenID Foundation members will vote on whether to approve these drafts as OpenID Errata Drafts.  For the convenience of members, voting may begin up to two weeks before October 31st, with the voting period still ending on Friday, November 7, 2014.

These specifications incorporating Errata are available at:

*         http://openid.net/specs/openid-connect-core-1_0-21.html

*         http://openid.net/specs/openid-connect-discovery-1_0-24.html

*         http://openid.net/specs/openid-connect-registration-1_0-27.html

The corresponding approved Final Specifications are available at:

*         http://openid.net/specs/openid-connect-core-1_0-final.html

*         http://openid.net/specs/openid-connect-discovery-1_0-final.html

*         http://openid.net/specs/openid-connect-registration-1_0-final.html

A description of OpenID Connect can be found at http://openid.net/connect/. The working group page is http://openid.net/wg/connect/.  Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration.  If you're not a current OpenID Foundation member, please consider joining to participate in the approval vote.

You can send feedback on the specifications in a way that enables the working group to act upon your feedback by (1) signing the contribution agreement at http://openid.net/intellectual-property/ to join the working group (please specify that you are joining the "AB+Connect" working group on your contribution agreement), (2) joining the working group mailing list at http://lists.openid.net/mailman/listinfo/openid-specs-ab, and (3) sending your feedback to the list.

A summary of the errata corrections applied is:

*         All - Added errata set number to the titles.

*         All - Updated dates for specs containing errata updates.

*         Core - Changed the RFC 6749 references from Section 3.2.1 to Section 2.3.1 in the "client_secret_basic" and "client_secret_post" definitions.

*         Fixed #954 - All - Added "NOT RECOMMENDED" to the list of RFC 2119 terms.

*         All - Updated references to pre-final IETF specs.

*         All - Replaced uses of the terms JWS Header, JWE Header, and JWT Header with the JOSE Header term that replaced them in the JOSE and JWT specifications.

*         Fixed #921 - Core - "Authorization Request" should be "Authentication Request".

*         Fixed #926 - Core - Typo in Self-Issued ID Token Validation.

*         Fixed #920 - Core - Attack identified against self-issued "sub" values.

*         Core - Authorization Code validation is not done when using the response type "code token" because the validation process requires an ID Token.

*         Fixed #925 - Registration - Typos ("jwk" vs "jwks") in "jwks" client metadata parameter definition.

-- Michael B. Jones - OpenID Foundation Board Secretary

(This notice has also been posted at http://openid.net/2014/09/16/review-of-proposed-errata-to-openid-connect-specifications/.)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-board/attachments/20140917/12df3933/attachment-0001.html>

More information about the board mailing list