<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:13px"><div class="" id="yiv2740811333yui_3_16_0_1_1431970961220_83256" dir="ltr" style="font-family: 'Helvetica Neue', 'Segoe UI', Helvetica, Arial, 'Lucida Grande', sans-serif;">Spec call notes 14-Sep-15<br class=""></div><div class="" id="yiv2740811333yui_3_16_0_1_1431970961220_83256" style="font-family: 'Helvetica Neue', 'Segoe UI', Helvetica, Arial, 'Lucida Grande', sans-serif;"><br class=""></div><div class="" id="yiv2740811333yui_3_16_0_1_1431970961220_83256" style="font-family: 'Helvetica Neue', 'Segoe UI', Helvetica, Arial, 'Lucida Grande', sans-serif;">John Bradley</div><div class="" id="yiv2740811333yui_3_16_0_1_1431970961220_83256" style="font-family: 'Helvetica Neue', 'Segoe UI', Helvetica, Arial, 'Lucida Grande', sans-serif;">Nat Sakimura<br class=""></div><div class="" id="yiv2740811333yui_3_16_0_1_1431970961220_83261" dir="ltr" style="font-family: 'Helvetica Neue', 'Segoe UI', Helvetica, Arial, 'Lucida Grande', sans-serif;">Edmund Jay</div><div class="" id="yiv2740811333yui_3_16_0_1_1431970961220_83261" dir="ltr" style="font-family: 'Helvetica Neue', 'Segoe UI', Helvetica, Arial, 'Lucida Grande', sans-serif;"><br class=""></div><div class="" id="yiv2740811333yui_3_16_0_1_1431970961220_83261" dir="ltr" style="font-family: 'Helvetica Neue', 'Segoe UI', Helvetica, Arial, 'Lucida Grande', sans-serif;"><br class=""></div><div class="" id="yiv2740811333yui_3_16_0_1_1431970961220_83261" dir="ltr"><div class="" id="yiv2740811333yui_3_16_0_1_1435615368997_16314">Agenda </div><div class="" id="yiv2740811333yui_3_16_0_1_1435615368997_16314"> Bitbucket Links</div><div class="" id="yiv2740811333yui_3_16_0_1_1435615368997_16314"><div class="" id="yiv2740811333yui_3_16_0_1_1435615368997_16314" dir="ltr"> Issues</div><div dir="ltr" class="" id="yiv2740811333yui_3_16_0_1_1439398512607_110909"> RP Certification<br class=""></div><div dir="ltr" class="" id="yiv2740811333yui_3_16_0_1_1439398512607_110909"><br></div><div dir="ltr" class="" id="yiv2740811333yui_3_16_0_1_1439398512607_110909"><br></div><div dir="ltr" class="" id="yiv2740811333yui_3_16_0_1_1439398512607_110909">Bitbucket links</div><div dir="ltr" class="" id="yiv2740811333yui_3_16_0_1_1439398512607_110909"> Need to redirect requests to the domain hg.openid.net to bitbucket.org/openid/path</div><div dir="ltr" class="" id="yiv2740811333yui_3_16_0_1_1439398512607_110909"> Need to setup mod_rewrite rule </div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"> Edmund will send rule to John</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"><br></div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"><br></div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894">Issues</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"><br></div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894">#982 - Error in JWT claim definitions for client authentication</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894">change ID Token to JWT</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"><br class=""></div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"> 968 - inconsistent treatment of id_token_hint</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"> waiting for proposal from Mike</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"> 969 - Need clarity on session state variable</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"> John to look into it</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"> 970 - Core - 2 - ID Token acr claim incorrectly specifies the level 0 of assurance </div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"> John to propose alternate wording</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"> 973 - Core 2 / 3.1.3.7 - azp claim underspecified and overreaching</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"> Ignoring AZP potentially allows tokens to be issued to 3rd parties that can be used to impersonate the subject,</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"> There was a security reason for warning clients to reject JWT they receive as id_tokens that were not issued to them directly.</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"> The other alternative is to remove AZP from the spec to discourage people from using it, and hope that Google has tight </div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"> enough issuance rules that no one finds a security hole.</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894">974 - Deprecated algorithm RSA1_5 used in spec examples and self-issued</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"> need concrete proposal</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894">975 - Do we add additional related specifications?</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"> Assigned to Mike</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894">976 - Unregistered openid2_realm and openid2_id</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"> Assigned to Mike</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894">977 - How to handle an unsupported response_mode?</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"> Will return HTTP 400 status. Assigned to Mike</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894">978 - URL for errata</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"> Need links specifically for erratas instead of overwriting current version links.</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"> Need more discussion</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894">979 - Discovery / Security Considerations: CSRF attack on user input identifier</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"><span class="" style="white-space:pre-wrap;" id="yui_3_16_0_1_1442265232446_12275"> J</span>ohn to work on it</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894">980 - Where else do we need to specify the use of CORS support?</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"> Need more discussion</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894">981 - Session - Send SCIM based back channel logout info to the list</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"> Nat will work on it</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894">982 - Error in JWT claim definitions for client authentication</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"> Agreed to make change</div><div dir="ltr" class=""><br class=""></div></div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"><br></div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894">Logout specs</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"> Backchannel and front channel Logout specs have been posted to the list.</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"> Everyone, please review and provide feedback.</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"><br></div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"><br></div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"><br></div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894">RP Certification</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"> There are still problems related to testing of signature/encryption key rotations on the RP and OP.</div><div dir="ltr" class="" id="yui_3_16_0_1_1442265232446_8894"> Edmund will notify Roland of them.</div></div></div></div></body></html>