[Openid-specs-ab] Spec Call Notes 7-May-20

Mike Jones Michael.Jones at microsoft.com
Thu Jun 4 15:03:55 UTC 2020

Spec Call Notes 7-May-20

Nat Sakimura
Mike Jones
Tim Cappalli
Tom Jones
George Fletcher
Bjorn Helm
Filip Skokan
Joseph Heenan

              Nat filed several issues related to OAuth JAR
              Nat will respond to Brock
              Nat will add require_request_object
              Nat will then contact the area director Ben Kaduk asking him to move the draft forward

Open Issues
              #1170 typ in the Request Object?
                           Filip and Nat say that it's pretty late to add this to the request object
                           We could add an optional typ value that is validated if present
                           George doesn't feel like it adds substantial security
                           Nat will push back to Brock's request on the list
              #1169 s/URL/URI/g in Core: 6.2.1
              #1171 Creating a way to mandate Request Object (by value or by reference)
                           Filip said that request_object_signing_alg already does this
                           George pushed back on that, for deployment purposes, as it would break existing clients
                           Mike says that the name should be require_request_object
                           Mike updated this in #1045 Signalling that a Request Object must always be present in Authorization Request
              #1172 Muti-usage type key ok?
                           We don't see an actual problem as the client is in control in both cases, but others should also think about this
              #1167 Required certification behaviour for request and request_uri parameters
                           We agreed to have the Java suite follow the spec
                           We could send a heads-up to the Connect and openid-connect-interop at googlegroups.com<mailto:openid-connect-interop at googlegroups.com> lists

Event Announcements
              Nat is organizing a virtual meeting for Self-Issued Identity Provider implementations
                           Respond at https://forms.gle/HEyHGQHcxU6xmXxUA
              There will be a European Commission workshop on June 18
                           The OIDF was invited to participate

Logout and Errata Progress
              Mike plans to split RP-Initiated Logout into its own spec before publishing the errata updates

Browsers' Desires to Intermediate Identity Flows
              Sam Goto's presentation from the OpenID workshop are available
              George said that there appears to be willingness by Google to work with the identity community
                           It's not clear where we can do this for Apple and Firefox to also participate
              The W3C Privacy Community group is one possible venue
                           George plans to participate there

Next Call
              The next working group call is Monday, June 8 at 4pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200604/fc9f145b/attachment.html>

More information about the Openid-specs-ab mailing list