[Openid-specs-ab] Certification of your relying party software

Henrik Biering hb at peercraft.com
Mon Jan 9 00:21:47 UTC 2017


Den 08-01-2017 kl. 16:40 skrev Mike Schwartz via Openid-specs-ab:
> Just my $.02. I know I said this before...
> We want client developers to certify their code! I think RP testing 
> should be permanently free. The few bucks it's going to bring in are 
> not material compared with the benefit to the community of better 
> libraries and deployments.
> What we're seeing at Gluu is that there is a lot of crappy client 
> code. Also, we're seeing that a lot of developers are using OAuth2 
> libraries, and not taking advantage of the security features of OpenID 
> Connect.
> It seems the end-users of RP client code don't care that much if it's 
> certified. They want ease of use. They want it to solve a problem.
> It's a weird dichotomy. We get raked over the coals by enterprise 
> security departments on the Gluu Server OP. And then the client 
> developers are using implicit flow and not even checking checking the 
> state or id_token!
> Any fee will put a barrier to testing. We should give client 
> developers who self-certify a medal--not charge them!
> - Mike
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list