[Openid-specs-ab] Spec call notes 16-Nov-15

Mike Jones Michael.Jones at microsoft.com
Tue Nov 17 00:20:20 UTC 2015


Spec call notes 16-Nov-15

Mike Jones
Edmund Jay
Brian Campbell
John Bradley
Nat Sakimura

Agenda
                Call scheduling
                Work we have outstanding
                Open Issues
                Certification

Call scheduling
                The Monday call time is now 3pm Pacific due to the DST change
                This conflicts with the RISC call every other week
                We agreed to have the Monday call the days that RISC doesn't
                We will have the 7am Pacific Thursday call the alternate weeks
                Nat will update the calendar on the working group page

Work we have outstanding
                Errata
                3 logout specs
                Fast Identity Verification
                Certification

Open Issues
                #968 - inconsistent treatment of id_token_hint
                                Mike needs to propose specific wording
                #969 - Need clarity on session state variable
                                Assigned to John - He believes that there's a privacy reason for it
                #970 - Core - 2 - ID Token acr claim incorrectly specifies the level 0 of assurance
                                John to propose new language
                #973 - Core 2 / 3.1.3.7 - azp claim underspecified and overreaching
                                Mike to propose new language
                #974 - Deprecated algorithm RSA1_5 used in spec examples and self-issued
                                Mike
                #975 - Do we add additional related specifications?
                                Mike to do editing
                #976 - Unregistered openid2_realm and openid2_id
                                Mike to do editing
                #977 - How to handle an unsupported response_mode?
                                Mike to do editing
                #978 - URL for errata
                                Mike to do editing
                #979 - Discovery / Security Considerations: CSRF attack on user input identifier
                                In discussion - Assigned to John
                #980 - Where else do we need to specify the use of CORS support?
                                Mike to do editing, based on issue comments
                #981 - Session - Send SCIM based back channel logout info to the list
                                Informational - assigned to Nat
                #982 - Error in JWT claim definitions for client authentication
                                Mike to apply fix
                #984 - Create a document explaining "single logout" semantics
                                Informational - No owner currently
                                Perhaps should look at recent IIW notes from recent "What does logout mean?" session
                #985 - Use Bearer in token_type in Implicit Flow response example
                                Mike to add comment
                #986 - Core - 6.2 - Softening the 512 ASCII characters restriction
                                Mike to write clarifying text

Errata
                All necessary actions captured as open issues

HTTP-Based Logout
                We are renaming this to front-channel logout

Front-Channel Logout
                We need people to think about whether the session ID is defined the right way or not
                This may require implementation experience
                May want to rename it to "session secret" to indicate that it is confidential

Back-Channel Logout
                We need people to think about the session ID there as well

Fast Identity Verification
                William submitted a draft
                Google is apparently rethinking what email_verified means
                                It has always been a temporal result
                                Whether it was verified in the past or is authoritative now

Certification
                Roland and Edmund demonstrated RP certification testing at IIW
                OP certifications have come in
                At the Tokyo summit, Nov Matake ran a hands-on certification session with about 25 people doing OP testing

Next Call
                We will skip next Thursday due to US Thanksgiving
                The next call will be Monday, November 30th at 3pm Pacific time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20151117/4363a082/attachment-0001.html>


More information about the Openid-specs-ab mailing list