[Openid-specs-ab] Spec call notes 20-Feb-17

Mike Jones Michael.Jones at microsoft.com
Tue Feb 21 00:01:06 UTC 2017

Spec call notes 20-Feb-17

John Bradley
Mike Jones
Nat Sakimura
Rich Levinson

              Mutual TLS OAuth Draft
              Certification Update
              OAuth Security Threats Information
              Open Issues
              Stephen Farrell's feedback on draft-ietf-oauth-jwsreq
              Next Call

Mutual TLS OAuth Draft
              There is interest in draft-campbell-oauth-tls-client-auth-00 in the FAPI WG
              Some banking authorities mandate using certificates
                           See https://www.nds.rub.de/media/ei/veroeffentlichungen/2017/01/30/oidc-security.pdf
              We will talk about this at IETF 98 in Chicago

Certification Update
              RP Certification launched http://openid.net/2017/02/14/openid-connect-relying-party-certification-adoption/
              Certified Implementations are now listed at http://openid.net/developers/certified/
              We surveyed those who have certified on their experiences
                           Lots of good feedback was received which Don and Mike will go through and publish
              Hans Zandbelt has been working with Roland on information transfer and documentation
              Additional profiles need to be defined and reviewed by the working group
                           Such as form post response mode

OAuth Security Threats Information
              Nat said that the University of Trier researchers are publishing their full paper in April
              They provided feedback on the tests, some of which was incorporated into the tests
              We don't have OAuth Mix-Up tests in the certification suite at present

Open Issues
              #1009: Contradictory statements about ID Token azp Claim
                           Much of this ground has already been covered in issue #973
                           We propose to address it when addressing #973

Stephen Farrell's feedback on draft-ietf-oauth-jwsreq
              Stephen is worried about parameters being able to be in two places and sometimes signed and sometimes not
              People are encourage to comment on the OAuth thread
              Being more strict wouldn't break connect OPs
                           It would break the (very few) RPs that use this in mixed mode
              It's probably reasonable to tighten this up in the OAuth spec
              jwsreq needs an "updates" clause about 6749

Next Call
              The next call is scheduled for Thursday, March 2nd at 7am Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170221/d441db30/attachment.html>

More information about the Openid-specs-ab mailing list