[Openid-specs-ab] Spec call notes 14-Sep-15

Edmund Jay ejay at mgi1.com
Tue Sep 15 00:14:05 UTC 2015

Spec call notes 14-Sep-15

John BradleyNat Sakimura
Edmund Jay

Agenda     Bitbucket Links    Issues    RP Certification

Bitbucket links    Need to redirect requests to the domain hg.openid.net to bitbucket.org/openid/path    Need to setup mod_rewrite rule     Edmund will send rule to John

#982 - Error in JWT claim definitions for client authenticationchange ID Token to JWT
    968 - inconsistent treatment of id_token_hint             waiting for proposal from Mike   969 - Need clarity on session state variable            John to look into it   970 - Core - 2 - ID Token acr claim incorrectly specifies the level 0 of assurance            John to propose alternate wording  973 - Core 2 / - azp claim underspecified and overreaching           Ignoring AZP potentially allows tokens to be issued to 3rd parties that can be used to impersonate the subject,           There was a security reason for warning clients to reject JWT they receive as id_tokens that were not issued to them directly.           The other alternative is to remove AZP from the spec to discourage people from using it, and hope that Google has tight            enough issuance rules that no one finds a security hole.974 - Deprecated algorithm RSA1_5 used in spec examples and self-issued          need concrete proposal975 - Do we add additional related specifications?         Assigned to Mike976 - Unregistered openid2_realm and openid2_id         Assigned to Mike977 - How to handle an unsupported response_mode?         Will return HTTP 400 status. Assigned to Mike978 - URL for errata         Need links specifically for erratas instead of overwriting current version links.         Need more discussion979 - Discovery / Security Considerations: CSRF attack on user input identifier John to work on it980 - Where else do we need to specify the use of CORS support?         Need more discussion981 - Session - Send SCIM based back channel logout info to the list         Nat will work on it982 - Error in JWT claim definitions for client authentication         Agreed to make change

Logout specs    Backchannel and front channel Logout specs have been posted to the list.    Everyone, please review and provide feedback.

RP Certification    There are still problems related to testing of signature/encryption key rotations on the RP and OP.    Edmund will notify Roland of them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150915/025f1a03/attachment.html>

More information about the Openid-specs-ab mailing list