[Openid-specs-ab] Certification of your relying party software

Nick Roy nroy at internet2.edu
Mon Jan 9 21:30:17 UTC 2017


+A LOT

Nick

On 1/8/17 5:21 PM, Henrik Biering via Openid-specs-ab wrote:
> +1!
>
> Den 08-01-2017 kl. 16:40 skrev Mike Schwartz via Openid-specs-ab:
>>
>> Just my $.02. I know I said this before...
>>
>> We want client developers to certify their code! I think RP testing
>> should be permanently free. The few bucks it's going to bring in are
>> not material compared with the benefit to the community of better
>> libraries and deployments.
>>
>> What we're seeing at Gluu is that there is a lot of crappy client
>> code. Also, we're seeing that a lot of developers are using OAuth2
>> libraries, and not taking advantage of the security features of
>> OpenID Connect.
>>
>> It seems the end-users of RP client code don't care that much if it's
>> certified. They want ease of use. They want it to solve a problem.
>>
>> It's a weird dichotomy. We get raked over the coals by enterprise
>> security departments on the Gluu Server OP. And then the client
>> developers are using implicit flow and not even checking checking the
>> state or id_token!
>>
>> Any fee will put a barrier to testing. We should give client
>> developers who self-certify a medal--not charge them!
>>
>> - Mike
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab



More information about the Openid-specs-ab mailing list