<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:13px"><div class="" id="yiv8982739468yui_3_16_0_1_1431970961220_83256" dir="ltr" style="font-family: 'Helvetica Neue', 'Segoe UI', Helvetica, Arial, 'Lucida Grande', sans-serif;">Spec call notes 29-Jun-15<br class=""></div><div class="" id="yiv8982739468yui_3_16_0_1_1431970961220_83256" style="font-family: 'Helvetica Neue', 'Segoe UI', Helvetica, Arial, 'Lucida Grande', sans-serif;"><br class=""></div><div class="" id="yiv8982739468yui_3_16_0_1_1431970961220_83256" style="font-family: 'Helvetica Neue', 'Segoe UI', Helvetica, Arial, 'Lucida Grande', sans-serif;">Mike Jones</div><div class="" id="yiv8982739468yui_3_16_0_1_1431970961220_83256" style="font-family: 'Helvetica Neue', 'Segoe UI', Helvetica, Arial, 'Lucida Grande', sans-serif;">John Bradley</div><div class="" id="yiv8982739468yui_3_16_0_1_1431970961220_83261" style="font-family: 'Helvetica Neue', 'Segoe UI', Helvetica, Arial, 'Lucida Grande', sans-serif;">Nat Sakimura</div><div class="" id="yiv8982739468yui_3_16_0_1_1431970961220_83261" style="font-family: 'Helvetica Neue', 'Segoe UI', Helvetica, Arial, 'Lucida Grande', sans-serif;" dir="ltr">Edmund Jay</div><div class="" id="yui_3_16_0_1_1435615368997_16314"><br class=""></div><div class="" id="yui_3_16_0_1_1435615368997_16314"><br></div><div class="" id="yui_3_16_0_1_1435615368997_16314">Agenda </div><div class="" id="yui_3_16_0_1_1435615368997_16314"><br></div><div class="" id="yui_3_16_0_1_1435615368997_16314"> RP Certification</div><div class="" id="yui_3_16_0_1_1435615368997_16314"> Logout specs</div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"> Sender Constrained JWT for OAuth 2.0 spec<br></div><div class="" id="yui_3_16_0_1_1435615368997_16314"> Government profile workgroup charter</div><div class="" id="yui_3_16_0_1_1435615368997_16314"> Next Calls</div><div class="" id="yui_3_16_0_1_1435615368997_16314"><br></div><div class="" id="yui_3_16_0_1_1435615368997_16314"><br></div><div class="" id="yui_3_16_0_1_1435615368997_16314"><br></div><div class="" id="yui_3_16_0_1_1435615368997_16314">RP Certification :</div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"> A preliminary version of the RP certifications tests and documentation is available at <a href="https://rp.certification.openid.net:8080/test_list" id="yui_3_16_0_1_1435615368997_21998">https://rp.certification.openid.net:8080/test_list</a></div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"> Everyone, please review the tests and documentation and if possible, start testing the tests.</div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"><br></div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"><br></div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr">Logout Specs :</div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"> Currently, there are three logout specs outstanding:</div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"> 1) Logout using Iframe</div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"> 2) Logout using image get</div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"> 3) Backchannel logout </div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"><br></div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"> The following questions are posed to the workgroup:</div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"><br></div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"> a) Do we want to keep both iframe and image get method or just use the iframe method?</div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"><br></div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"> b) Which method is better and why prefer one method over the other?</div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"><br></div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"> Backchannel logout is getting highest priority in NAPPS WG.</div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"> May decide to move it to Connect WG to keep all logout specs in one place.</div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"> New functionality in iOS and Android for app communication eliminates the need for token agent on those OSes.</div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"> Backchannel logout is needed for native apps when there is no front channel.</div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"> <br></div><div class="" id="yui_3_16_0_1_1435615368997_16314"><br></div><div class="" id="yui_3_16_0_1_1435615368997_16314"> </div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr">Sender Constrained JWT for OAuth 2.0 (draft-sakimura-oauth-rjwtprof): </div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"> Nat and Kepeng published new Sender Constrained JWT for OAuth 2.0 draft in Oauth WG. It can potentially</div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"> be incorporated into the Proof of Posession Sematics for JWTs. POPS describes Sender constraint and key</div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"> confirmation as threat mitigation methods for unauthorized token usage. Draft-sakimura-oauth-rjwtprof provides</div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"> a more detailed method of sender constraint in the JWT.</div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"><br></div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"><br></div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"><br></div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr">Government profile workgroup charter :<br></div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"> There is discussion of proposing a charter for a government profile workgroup.</div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"> Various governments are starting to adopt OpenID Connect for government applications.</div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"> Need a workgroup to address uses cases for government.</div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"> The government profile of OpenID Connect will act as baseline for conformance to the various levels of assurances.</div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"><br></div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"><br></div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr">Next Calls :</div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"> There will be an OpenID Connect WG call this Thursday, July 2 at the <span style="font-family: 'Helvetica Neue', 'Segoe UI', Helvetica, Arial, 'Lucida Grande', sans-serif;" class="" id="yui_3_16_0_1_1435615368997_61958">European-Friendly time of 7am Pacific</span></div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"> </div><div class="" id="yui_3_16_0_1_1435615368997_16314" dir="ltr"><br></div><div class="" id="yui_3_16_0_1_1435615368997_16314"><br class=""></div></div></body></html>