[Openid-specs-ab] Spec Call Notes 29-Oct-18

Hjelm, Bjorn Bjorn.Hjelm at VerizonWireless.com
Tue Oct 30 08:07:22 UTC 2018


All,
Torsten's slides from IIW on Identity Proofing with OpenID Connect can be at https://www.slideshare.net/TorstenLodderstedt/identity-proofing-with-openid-connect.

BR,
Bjorn

From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Mike Jones via Openid-specs-ab
Sent: Monday, October 29, 2018 5:41 PM
To: openid-specs-ab at lists.openid.net
Cc: Mike Jones
Subject: [E] [Openid-specs-ab] Spec Call Notes 29-Oct-18

Spec Call Notes 29-Oct-18

Nat Sakimura
John Bradley
Bjorn Hjelm
Brian Campbell
Edmund Jay
Rich Levinson
Mike Jones

Agenda
              Editor's report for Errata and Logout
              Open Issues
              Report from IIW

Report from IIW
              Nat asked Mike to give a report from the Internet Identity Workshop (IIW)

              Torsten presented verified claims JWT proposal
                           There was strong interest in standards in this area
                           Expect a proposal from Torsten soon
                                         Mike believes that this work belongs in the Connect working group
                           Nat has heard interest in this capability from European banks
                           Kim Cameron is interested in being able to request aggregated claims from a particular issuer

              The FastFed working group held a 3-hour Thursday afternoon
                           Darin McAdams updated FastFed draft to focus on Connect and not SAML
                           Attendees included Chuck Mortimore, Karl McGuiness, Dick Hardt, Darin, ADT, Googlers, and Mike Jones
                           Chuck advocated starting with "brown field" scenarios
                                         Converting a small number of username/password logins to an enterprise-wide federation
                                         These result from viral adoption of products like Slack or Teams
                           Others thought that "green field" - enabling federation from day 1 - is also important
                           Dick Hardt should be sending notes to the FastFed mailing list

              Roland Hedberg described updates he and Andreas Solberg made to the OpenID Connect Federation draft
                           Now every entity has an entity descriptor - previously RPs didn't
                           Added the ability to use JWT client IDs without pre-registration
                           Continuing to use syntax defined by Discovery and Dynamic Client Registration
                           People are highly encouraged to review draft 5 at https://openid.net/specs/openid-connect-federation-1_0-05.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__openid.net_specs_openid-2Dconnect-2Dfederation-2D1-5F0-2D05.html&d=DwQFAg&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=JMpJf-BC-wdLStp0L2nPVLf0VHovxrmhF75FC0JrU08&s=WRb3z0ITpd5Vha6UcYjn58nS4dg_jmsMT89Wo5LPR7M&e=>

              Interest in RISC
                           Some large companies have production RISC endpoints now
                                         These are based on the RISC Implementer's Drafts

              Mike gave an Introduction to OpenID Connect "101" talk
                           It was well attended
                           Among others there were attendees from the banking and R&E sectors

Editor's report for Errata and Logout
              Mike plans to focus on completing the Errata and logout spec edits after IETF
              There are some open issues that need to be decided both for Errata and for some of the logout specs

Open Issues
              https://bitbucket.org/openid/connect/issues?status=new&status=open<https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_connect_issues-3Fstatus-3Dnew-26status-3Dopen&d=DwQFAg&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=JMpJf-BC-wdLStp0L2nPVLf0VHovxrmhF75FC0JrU08&s=agwZHU7NyNaHfrfYjhpqaNUENX7Lq2p41kMoQKkV14o&e=>

              #1052 make clear that nonce is always required for Hybrid flows
                           Mike and Brian spoke to this
                           A nonce request parameter may not be strictly necessary for the code+token response type
                                         Both agreed that reasonable people could interpret this differently for code+token
                           Brian made the case that we shouldn't introduce breaking changes via errata
                           Mike pointed out that this change would probably require removing this particular test from the certification suite for code+token
                           Mike will write up this possibility in the issue for review

              #1032 rp-initiated logout - proposal for client_id parameter
                           Mike asked what the security implications are of passing the client_id a non-tamper-resistant manner
                           We will discuss this on the next European-friendly call

Next Call
              We will keep the Thursday call despite it being IETF week
              It will be at 9pm in Bangkok
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20181030/dd4dbf17/attachment-0001.html>


More information about the Openid-specs-ab mailing list