[OpenID board] April 27, 2016 OpenID Board Meeting Minutes

Mike Jones Michael.Jones at microsoft.com
Mon May 9 12:36:53 UTC 2016

OK – I’ll amend the minutes accordingly.  You hadn’t responded to the board-private draft version sent per policy for review purposes so I assumed that the draft version was correct.  Are there any other amendments needed?

From: board [mailto:openid-board-bounces at lists.openid.net] On Behalf Of Pamela Dingle
Sent: Monday, May 9, 2016 5:19 AM
To: openid-board at lists.openid.net
Cc: board at openid.net
Subject: Re: [OpenID board] April 27, 2016 OpenID Board Meeting Minutes

Hey Mike -- I'm not sure it really matters, but I was on the phone for this meeting.  I didn't say anything because I was in the airport (and then onboard my aircraft), but was present for whole meeting, only missing the very beginning and a little bit of the meeting that went over the time at the end there.


On Mon, May 9, 2016 at 3:01 AM, Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>> wrote:
April 27, 2016 OpenID Board Meeting Minutes

Don Thibeau, Executive Director
John Bradley
Mike Jones
Nat Sakimura
George Fletcher
Prateek Mishra
Brian Berliner
Dale Olds
Adam Dawes

Present on the Phone:
Bjorn Hjelm

Debbie Bucci
Pamela Dingle
Lydia Varmazis
Tony Nadalin

Tom Smedinghoff, Locke Lord LLP (on the phone)
Mike Leszcz, OIDF (on the phone)
Phil Hunt, Oracle

1.       New Board Member
We welcomed Oracle to the board.  Prateek Mishra and Phil Hunt are in attendance from Oracle.

Prateek said that Oracle is working to integrate an identity fabric with business services – both for external applications and within the company.  Phil Hunt said that SCIM is very important to Oracle and sees potential synergies between SCIM and OpenID Connect.  Phil talked about developing best deployment practices.  George and Brian and John affirmed Oracle’s goals.  Phil expressed a desire for us to evaluate the possibility of doing SCIM interop and possibly conformance work, which the IETF doesn’t do.

2.       Legal and Policy Review
Tom has been going through our mostly 7-year-old legal documents, addressing issues found.  One item was to create a software contribution agreement based upon the Google contribution agreement.  Some members and potential members had also identified issues.  We are explicitly not touching the IPR Policy and IPR Process documents.

Tom has sent revised copies to the EC for review and is awaiting comments.  Then they will be circulated to the full board.  The new versions separate policies from procedures.

Mike described that the IPR policy and process documents are, by design, difficult to update.  Nat pointed out that we did update them once, in 2009, to streamline the specifications council working group approval procedures.

3.       Status of Trademarks
There is a deadline of May 6th for a response to a trademark registration refusal in Canada, which is related to SXIP’s registration of OpenID in Canada.  Mike Jones and Don Thibeau are in communication with Dick Hardt about assigning SXIP’s registration to the OpenID Foundation, which Dick has agreed to do.

4.       OpenID Certification
Mike reported on the status of the certification program.  The number of registrations continues to grow.  Registrations are now being paid for by registrants.  OpenID Connect working group members and Don are working with Roland Hedberg on advancing the RP certification program during IIW.

5.       Website Update
Mike reported that we are making substantial progress both towards deploying the revised membership Ruby code and towards transitioning from Darin Richardson, as our web site developer to Nov Matake, who has agreed to become our new web site developer.  Mike and Don have continued to work with both Darin and with OSUOSL and are happy to report that the new code is now running on a staging server and another server that will be put in production to replace the 7-year old Ruby deployment, after the new code has been evaluated and accepted.

6.       Working Group Updates
There were substantive working group updates at the OpenID workshop on Monday, so we didn’t repeat most of that content here.

Adam reported that Google is working on opening up their Android password manager and Account Chooser experience to other platforms.  This would require a standard password manager API.  That work is happening in the W3C Web Credentials working group.  The Account Chooser working group may choose to utilize and build upon this functionality.

7.       Financial Update
The foundation is in sound financial shape.  The legal efforts have been the primary cost driver but there are sufficient existing funds to cover that work without needing directed funding.

8.       Recognizing Substantive Contributions to the Foundation and its Mission
In recognition of their substantive contributions towards the creation of the OpenID Foundation and their long-term technical contributions to OpenID Foundation specifications, the foundation elected to honor David Recordon, Dick Hardt, and Drummond Reed by offering them lifetime invited expert status and accompanying free lifetime individual OpenID Foundation memberships.  John made the motion and Adam seconded it.  The motion passed unanimously.

9.       Communication about Security Best Practices
William Denniss led a productive discussion at IIW based on input from George Fletcher at the Monday OpenID workshop on OAuth mix-up attacks and related issues.  We gathered notes about vulnerabilities for purposes of possibly publishing them as an informative note on the OpenID blog.

Don pointed out that our mission includes adoption.  He said that publishing advice to developers is a way of adding value to members, including internationally.  We might call it a “Deployment Advisory” in the title.  Mike said that it would be OK for the blog category to be “Security Advisory” but people thought that was too strong to use in the title.  Our communication needs to include information on cross-site request forgery and the mix-up attacks.

We will ask William Denniss to be lead author on the text.  Mike, John, George, Phil, and Don will review the text.

George moved that we publish information conveying the security and deployment guidance.  Brian seconded the motion.  John pointed out that we can coordinate with NIST, who has mechanisms for publishing security advisories, and that that might have a favorable side-effect of helping to deepen NISTs engagement with the OpenID Foundation.

board mailing list
board at lists.openid.net<mailto:board at lists.openid.net>

[Ping Identity logo]<https://www.pingidentity.com/>

Pam Dingle
Principal Technical Architect
Ping Identity

pdingle at pingidentity.com<mailto:pdingle at pingidentity.com>


+1 303.999.5890



Connect with us!

[twitter logo]<http://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm>[twitter logo]<https://twitter.com/pingidentity>[youtube logo]<https://www.youtube.com/user/PingIdentityTV>[LinkedIn logo]<https://www.linkedin.com/company/21870>[Facebook logo]<https://www.facebook.com/pingidentitypage>[Google+ logo]<https://plus.google.com/u/0/114266977739397708540>[slideshare logo]<http://www.slideshare.net/PingIdentity>[rss feed icon]<https://www.pingidentity.com/blogs/>

[CIS 2016]<https://www.cloudidentitysummit.com/en/index.html>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-board/attachments/20160509/7e2eecff/attachment-0003.html>

More information about the board mailing list