[Openid-specs-ab] Spec Call Notes 9-May-19

Mike Jones Michael.Jones at microsoft.com
Thu May 9 15:19:43 UTC 2019

Spec Call Notes 9-May-19

Mike Jones
Roland Hedberg
Brian Campbell
Torsten Lodderstedt
Bjorn Hjelm
George Fletcher
Tom Jones

OpenID Certification
              Roland created certification tests for Session, Front-Channel, and Back-Channel, which are now being tested
              Filip Skokan provided a lot of early feedback on the OP tests
              We now need instructions for testing so others can do so
                           It seems that there will need to be some browser-specific instructions in some cases
              There are RP logout tests also but they haven't been tested yet by others than Roland

Authentication Failed Error Code Draft
              This is issue #1029
              The error code is now unmet_authentication_requirements
              Torsten submitted and Mike will publish the working group draft

OpenID Connect for Identity Proofing
              Another new draft was published at https://openid.net/specs/openid-connect-4-identity-assurance.html
              Torsten led a discussion at IIW
              A lot of good feedback was received, including on requirements for other jurisdictions
              It was pointed out that some proofs will require multiple documents
                           Torsten is working on updated syntax for that
                           See issue #1082: Support for multiple proof sources
              Reviews are solicited
              We agreed that Torsten should present this during EIC

EIC Next Week
              Roland, Torsten, Bjorn, George, and Mike will be at EIC next week

Distinguishing first and third party cookies
              George let us know that there's a spec that adds the same-site qualifier to cookies
                           Values are none, strict, and lax
                           Also see https://web.dev/samesite-cookies-explained/
                           and https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html
              Google is adding support for this to Chrome
              George asked whether this might affect iframe and postMessage communication
                           And whether this might affect Session Management

Open Issues
              #1083: policy_uri, tos_uri, logo_uri missing in IANA JWT claims registry
                           Brian asked whether Nat really meant the JWT Claims registry or the AS Metadata registry
              #1081: Need for a persistence user identifier - a PUID
                           We discussed that change of keys is a change of identity for self-issued
                           We discussed the ability to add a "did" claim to the ID Token when it is useful
                           We discussed that the "sub" value must not change at key roll-over time

Transient Subject Identifier Type
              At IIW, Davide Vaghetti talked about the need for a transient subject_type value, similar to that in SAML
              Mike and John encouraged him to write a specification for it

Next Call
              The May 13th call is cancelled due EIC
              The next call is Thursday, May 23 at 7am Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190509/ac2f7662/attachment.html>

More information about the Openid-specs-ab mailing list