[Openid-specs-ab] Spec call notes 10-Feb-14

Todd W Lainhart lainhart at us.ibm.com
Tue Feb 11 15:07:30 UTC 2014

I'm sorry that I missed the discussion.

>                Breno asked whether having RPs have logout notification 
endpoints wouldn't work better in some cases

Our implementation augments the client registration spec with a 
"signout_callback_uri" for this purpose.

Todd Lainhart
Rational software
IBM Corporation
550 King Street, Littleton, MA 01460-1250
2-276-4705 (T/L)
lainhart at us.ibm.com

From:   Mike Jones <Michael.Jones at microsoft.com>
To:     "openid-specs-ab at lists.openid.net" 
<openid-specs-ab at lists.openid.net>, 
Date:   02/10/2014 06:55 PM
Subject:        [Openid-specs-ab] Spec call notes 10-Feb-14
Sent by:        openid-specs-ab-bounces at lists.openid.net

Spec call notes 10-Feb-14
John Bradley
Edmund Jay
Mike Jones
               Connect Voting
               Open Issues
               Future Meetings
               Session Management
               Interactive Client Registration
               Call Schedule
Connect Voting:
               The voting tool will start the voting tomorrow
               It will close two weeks from then
Open Issues:
               #917 - space is deliminator while also a legal character in 
client_id and session state
                              This seems like a problem we'll need to 
                              Mike asked whether the postMessage character 
set is ASCII or Unicode
                                             If Unicode, we could use a 
non-ASCII separator
                                             Or we could use a different 
ASCII character, such as Delete (0x7f)
                              More investigation seems like it's needed
               #915 - Computation of OP session_state in the IdP requires 
origin URI
                              Todd Lainhart is to propose specific text
               #914 - Session 5 - Missing client_id parameter
                              This seems to need more discussion
               #880 - Host the endpoint 
                              This is still on John's to-do list
Future Meetings:
               Before IETF 89 in London
                              We have requested a room from noon-5
                              OpenID would take the first half, OAuth the 
                              John will set up Eventbrite registration for 
               During RSA in San Francisco
                              Mike still needs to investigate this 
possibility - probably after Friday's IETF submission deadline
Session Management:
               Breno and Naveen had a conversation with John and Nat about 
session management
               They're concerned about RPs generating a lot of traffic at 
               They believe that token caching is needed
               Mike questioned what level of the specs this should happen 
at, and what we need to do
               Breno asked whether having RPs have logout notification 
endpoints wouldn't work better in some cases
               John brought up that some RPs might not want to have 
                              Devices like Layer7 intermediary devices and 
other may have problems injecting JavaScript into the HTML
               Breno was also worried postMessage security vulnerabilities
                              This may mostly have to do with using 
postMessage for authentication
                              All JavaScript widgets share the same 
postMessage channel
                              For session management, we're only sending 
"yes" or "no" so we're not leaking much information
                              Versus sending the ID Token via postMessage, 
which would be a concern
               Mike plans to try to talk with Breno and Naveen in person 
this week about next steps
Interactive Client Registration
               Google also discussed wanting to do dynamic client 
registration for IMAP clients
               This requires user interaction, which dynamic registration 
doesn't currently support
               As a side effect, they would like to also issue tokens
               They liked the software statement idea
               They only want to issue Client IDs to be created for 
authenticated users
               John will think about whether and how they can accomplish 
this with our existing protocol flows
                              We think that this is possible
Call Schedule:
               There's been no discussion about call times on the list so 
               We will continue with the weekly Thursday calls for now
               People are encouraged to discuss what the right schedule is 
on the list
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140211/7b1d084e/attachment.html>

More information about the Openid-specs-ab mailing list