[Openid-specs-ab] Spec call notes 27-Jul-15

Mike Jones Michael.Jones at microsoft.com
Tue Jul 28 00:28:39 UTC 2015

Spec call notes 27-Jul-15

Mike Jones
John Bradley
Nat Sakimura
Edmund Jay

                Logout and Session Management spec changes
                Errata and Issues
                JWK Thumbprint Spec
                Workshop before IIW
                Workshop after IETF 94 Yokohama
                Next Calls

Logout and Session Management spec changes
                Mike simplified the logout spec to use only iframes
                Mike plans to push it out to openid.net/specs
                Mike fixed a bug in the JavaScript syntax in Session Management
                He will also push it out to openid.net/specs

Errata and Issues
                #922 - Back channel logout
                                John will look at some IETF specs that Kathleen Moriarty pointed him to that may be relevant
                #966 - Error code claims_not_supported should have been defined Core
                                Not doing so was a cut-and-paste error made during editing
                                We will say that it SHOULD be returned if not supported
                #968 - Inconsistent treatment of id_token_hint
                                These are not actually inconsistent - one's id_token_hint and the other's requesting a "sub" claim value
                                Mike added a comment to the bug stating this
                #969 - Need clarity on session state variable
                                Not pertinent to errata
                                Assigned to John to look at providing clarifying remarks
                #970 - Core - 2 - ID Token acr claim incorrectly specifies the level 0 of assurance
                                Mike - this is historical usage from OpenID 2.0 PAPE
                                Nat - PAPE referenced SP 800-63 - not ISO 29115
                                Mike - The direct conflict comes from this sentence "Authentication using a long-lived browser cookie, for instance, is one example where the use of "level 0" is appropriate."
                                John - For historic reasons, 0 is used to indicate that there is no confidence that the same person is actually there
                                John will take a stab at new working, saying what "0" meant historically
                #971 - Registration - 2. userinfo_encrypted_response_enc default value
                                This identifies a fix for a cut-and-paste error
                                Mike will look for other instances of this error while editing
                #972 - Nonce requirement in hybrid auth request
                                code+token response type doesn't actually require use of a nonce since no ID Token is returned on the front channel
                                John - But the nonce doesn't hurt.  We should leave this as-is.
                                Mike - Changing it at this point would cause an interop issue.
                                John will close this one as won't fix

                Mike will add references to the actual registries during the errata process
                People should add any other errata issues to the tracker at

                Bitbucket is doing reasonable redirects from the now deprecated project domain names
                hg.openid.net/connect/issues is redirecting to bitbucket.org/openid/connect/issues
                So there's no problem that we have to solve at present

Workshop before IIW
                Symantec has agreed to host this on Monday, October 26th
                For Connect, we should focus on RP certification
                We should set up a registration page for this and start promotion

Workshop after IETF 94 Yokohama
                Nat has asked the secretariat of OIDF Japan about this
                We should get logistics and registration information quickly

                Edmund sent a bunch of RP testing issues in e-mail to Roland
                Nat thinks Edmund should file these in the issue tracker
                Then others on Roland's team will have visibility into them as well

JWK Thumbprint Spec
                This is now at the RFC Editor

Next Calls
                One in a week on Monday the 3rd at 4pm Pacific time
                One on Thursday August 6th at the European-Friendly time of 7am Pacific this week
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150728/81e749b4/attachment.html>

More information about the Openid-specs-ab mailing list