[Openid-specs-ab] Spec Call Notes 21-Jun-18

Torsten Lodderstedt torsten at lodderstedt.net
Thu Mar 28 10:49:25 UTC 2019


HI all,

I just wanted to bring this tracker issue and proposal to your attention again. Please consider this for adoption as WG document. 

kind regards,
Torsten. 

> Am 24.08.2018 um 15:47 schrieb George Fletcher <gffletch at aol.com>:
> 
> +1 Thanks for writing this up Torsten!
> 
> On 8/24/18 8:45 AM, Torsten Lodderstedt via Openid-specs-ab wrote:
>> Hi Mike,
>> 
>> I created the new draft and sent you a pull request (
>> https://bitbucket.org/openid/connect/pull-requests/3/1029-authentication-failed-error-response/diff
>> ).
>> 
>> I also attached the HTML.
>> 
>> @all: Please review and give feedback. 
>> 
>> Thanks in advance,
>> Torsten. 
>> 
>> 
>> 
>>> Am 28.07.2018 um 21:52 schrieb Mike Jones <Michael.Jones at microsoft.com>
>>> :
>>> 
>>> It would be listed in the set of Connect specifications at 
>>> http://openid.net/connect/
>>> .
>>> 
>>> 				-- Mike
>>> 
>>> -----Original Message-----
>>> From: Torsten Lodderstedt 
>>> <torsten at lodderstedt.net>
>>>  
>>> Sent: Saturday, July 28, 2018 5:32 AM
>>> To: Mike Jones 
>>> <Michael.Jones at microsoft.com>
>>> 
>>> Cc: Vladimir Dzhuvinov 
>>> <vladimir at connect2id.com>; openid-specs-ab at lists.openid.net
>>> 
>>> Subject: Re: [Openid-specs-ab] Spec Call Notes 21-Jun-18
>>> 
>>> Hi Mike,
>>> 
>>> I potentially could do such a spec quickly. But how do you envision a developer to find out there is a complementary spec enhancing OpenID Connect Core? Developers will (at most) consult the OpenID Connect spec because that�s what they are looking for. 
>>> 
>>> kind regards,
>>> Torsten. 
>>> 
>>> 
>>>> Am 30.06.2018 um 14:57 schrieb Mike Jones <Michael.Jones at microsoft.com>
>>>> :
>>>> 
>>>> I was envisioning a spec that simply defines a new error code and registers it in the OAuth Extensions Error Registry.  Its normative contents would be something like this:
>>>> 
>>>> OAuth �error� Value:
>>>>              unable_to_meet_authentication_requirements
>>>>              The authentication performed did not meet the requirements of the requester.
>>>> 
>>>> In the non-normative parts of the spec, you could say that one place this new error code could be used was if an OpenID Connect �acr� is requested as an essential claim and its criteria could not be met.
>>>> 
>>>> This doesn�t rise to the level of incrementing the Connect version number or updating the entire spec.  In my view, that would send the wrong message to the marketplace.
>>>> 
>>>> You could do this simple spec pretty quickly.
>>>> 
>>>>                                                       -- Mike
>>>> 
>>>> From: Torsten Lodderstedt 
>>>> <torsten at lodderstedt.net>
>>>>  
>>>> Sent: Friday, June 29, 2018 10:44 PM
>>>> To: Mike Jones 
>>>> <Michael.Jones at microsoft.com>
>>>> 
>>>> Cc: Vladimir Dzhuvinov 
>>>> <vladimir at connect2id.com>; openid-specs-ab at lists.openid.net
>>>> 
>>>> Subject: Re: [Openid-specs-ab] Spec Call Notes 21-Jun-18
>>>> 
>>>> What kind of new spec do you have in mind to add the error code, which is required to properly handle an error situation described in OpenId Connect Core? I would assume OpenID Connect 1.x?
>>>> 
>>>> Am 28.06.2018 um 12:28 schrieb Mike Jones 
>>>> <Michael.Jones at microsoft.com>
>>>> :
>>>> 
>>>> Can you change a published RFC?  No.
>>>> 
>>>> Part of the OIDF maintaining its reputation as a professional standards body is to likewise safeguard the integrity of our final specifications.
>>>> 
>>>> I realize that writing a new specification to introduce new functionality may seem inconvenient but it�s ultimately the right thing to do.
>>>> 
>>>>                                                       -- Mike
>>>> 
>>>> From: Torsten Lodderstedt 
>>>> <torsten at lodderstedt.net>
>>>>  
>>>> Sent: Wednesday, June 27, 2018 8:14 PM
>>>> To: Mike Jones 
>>>> <Michael.Jones at microsoft.com>
>>>> 
>>>> Cc: Vladimir Dzhuvinov 
>>>> <vladimir at connect2id.com>; openid-specs-ab at lists.openid.net
>>>> 
>>>> Subject: Re: [Openid-specs-ab] Spec Call Notes 21-Jun-18
>>>> 
>>>> Even if the error code is obviously missing in the original spec?
>>>> 
>>>> Am 27.06.2018 um 07:31 schrieb Mike Jones 
>>>> <Michael.Jones at microsoft.com>
>>>> :
>>>> 
>>>> Correct.  Just like the IETF, we don�t make normative changes to Final specifications.
>>>> 
>>>> The way to introduce a new error code is to write a new specification that does so.
>>>> 
>>>>                                                       -- Mike
>>>> 
>>>> From: Openid-specs-ab 
>>>> <openid-specs-ab-bounces at lists.openid.net>
>>>>  On Behalf Of Vladimir Dzhuvinov via Openid-specs-ab
>>>> Sent: Wednesday, June 27, 2018 8:26 AM
>>>> To: 
>>>> openid-specs-ab at lists.openid.net
>>>> 
>>>> Subject: Re: [Openid-specs-ab] Spec Call Notes 21-Jun-18
>>>> 
>>>> My observation is that errata don't introduce new parameters, but are rather used to fix typos and clarify things.
>>>> 
>>>> Depending on how the errata get published - as part of the original spec or as separate doc - developers often fail to notice them :)
>>>> 
>>>> Vladimir
>>>> 
>>>> 
>>>> On 25/06/18 18:34, Torsten Lodderstedt via Openid-specs-ab wrote:
>>>> What about an errata? 
>>>> 
>>>> Am 25.06.2018 um 16:31 schrieb Mike Jones 
>>>> <Michael.Jones at microsoft.com>
>>>> :
>>>> 
>>>> A new specification needs to be written.  We can't add new functionality to final specifications.
>>>> 
>>>> -----Original Message-----
>>>> From: Torsten Lodderstedt 
>>>> <torsten at lodderstedt.net>
>>>>  
>>>> Sent: Monday, June 25, 2018 10:30 AM
>>>> To: Mike Jones 
>>>> <Michael.Jones at microsoft.com>
>>>> 
>>>> Cc: 
>>>> openid-specs-ab at lists.openid.net
>>>> 
>>>> Subject: Re: [Openid-specs-ab] Spec Call Notes 21-Jun-18
>>>> 
>>>> Hi Mike,
>>>> 
>>>> what needs to be done in order to bring Issue #1029 forward?
>>>> 
>>>> kind regards,
>>>> Torsten. 
>>>> 
>>>> Am 21.06.2018 um 16:48 schrieb Mike Jones via Openid-specs-ab 
>>>> <openid-specs-ab at lists.openid.net>
>>>> :
>>>> 
>>>> Spec Call Notes 21-Jun-18
>>>> 
>>>> Mike Jones
>>>> Brian Campbell
>>>> George Fletcher
>>>> Bjorn Hjelm
>>>> John Bradley
>>>> 
>>>> George Fletcher's Native SSO Proposal
>>>>             George plans to produce an xml2rfc version of his Native SSO draft by the end of the week
>>>> 
>>>> Potential iOS Changes
>>>>             Vittorio Bertocci plans to have a meeting at Identiverse to discuss SSO and Apple's "Intelligent Track Protection" initiative
>>>> 
>>>> Federation Specification Review
>>>>             This review is under way
>>>>                          
>>>> http://openid.net/2018/06/08/public-review-period-for-openid-connect-federation-specification-started/
>>>> 
>>>>             People are encouraged to review the draft
>>>> 
>>>> RISC Approval Vote
>>>>             The vote is open through June 29th
>>>>             Please participate at 
>>>> https://openid.net/foundation/members/polls/141
>>>> 
>>>> 
>>>> Certification
>>>>             We are launching the Form Post Response Mode certification profiles at Identiverse
>>>>                          We will have people test the tests at Identiverse
>>>> 
>>>> New RP Libraries
>>>>             We've created a jwtconnect.io site as a documentation home for the JWTConnect libraries
>>>>             Roland plans to create the Python github projects at 
>>>> https://github.com/openid
>>>>  before Identiverse
>>>> 
>>>> Open Issues
>>>>             See 
>>>> https://bitbucket.org/openid/connect/issues
>>>> 
>>>>             #1029: authentication_failed error response 
>>>>                          No activity since last call
>>>>             #1030: Front & back-channel logout: require HTTPS URIs?
>>>>                          Vladimir is right.  Mike will make the change to require https URIs.
>>>> 
>>>> Unauthenticated Logout Requests
>>>>             George will file an issue proposing Security Considerations language about denial of service attacks using front-channel logout
>>>> 
>>>> Spec Progress
>>>>             We plan to take the three logout specs to final status soon
>>>>                          Please review them now
>>>>             The OAuth AS Metadata spec is in Auth48 so will probably finish this week
>>>>                          This will unblock the errata progress
>>>>             The Security Event Token (SET) spec is with the RFC editor and so should also finish soon
>>>>                          We want this to finish before making back-channel logout final
>>>> 
>>>> Next Calls
>>>>             We are cancelling the Monday, June 25th call because it is during Identiverse
>>>>             The next call is Thursday, July 5th at 7am Pacific Time
>>>> _______________________________________________
>>>> Openid-specs-ab mailing list
>>>> 
>>>> Openid-specs-ab at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Openid-specs-ab mailing list
>>>> 
>>>> Openid-specs-ab at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> 
>> 
>> _______________________________________________
>> Openid-specs-ab mailing list
>> 
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> 
> -- 
> Distinguished Engineer                   
> Identity Services Engineering     Work: 
> george.fletcher at teamaol.com
> 
> AOL Inc.                          AIM:  gffletch
> Mobile: +1-703-462-3494           Twitter: 
> http://twitter.com/gffletch
> 
> Office: +1-703-265-2544           Photos: 
> http://georgefletcher.photography



More information about the Openid-specs-ab mailing list