<html><head><style>body{font-family:Helvetica,Arial;font-size:13px}</style></head><body style="word-wrap:break-word"><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">how about you guys agree on something first - and then we can follow ;)</div> <br> <div id="bloop_sign_1494149177390125056" class="bloop_sign"><div><br></div><div>-------</div><div>Dominick Baier</div></div> <br><p class="airmail_on">On 3. May 2017 at 20:54:18, Hans Zandbelt (<a href="mailto:hans.zandbelt@zmartzone.eu">hans.zandbelt@zmartzone.eu</a>) wrote:</p> <blockquote type="cite" class="clean_bq"><span><div><div></div><div>

<title></title>

<div dir="ltr">Just to make sure, I hope you're referring to

running a local Docker instance?

<div><br>

<div><span style="font-size:12.8px">I disagree with Roland on using

the official certification servers for continuous integration tests

of participants: it will make it harder to troubleshoot, harder to

do maintenance, harder to guard system resources and it is simply

not what the certification server is meant for. Since we've had

trouble with stability in the past and since I've been tasked with

operational maintenance of the test servers, I will vote against

that.</span></div>

<div><span style="font-size:12.8px"><br></span></div>

<div><span style="font-size:12.8px">Of course I'd very much welcome

any feedback on how to improve the Docker variant(s) of the test

suite since continuous integration is exactly the reason why we've

added that in the first place (incl. continuous integration testing

of the test suite itself). That is still a work in progress but

rapidly becoming useful.</span><br></div>

<div><span style="font-size:12.8px"><br></span></div>

<div><span style="font-size:12.8px">Hans.</span></div>

</div>

<div class="gmail_extra"><br>

<div class="gmail_quote">On Wed, May 3, 2017 at 8:34 PM, Dominick

Baier via Openid-specs-ab <span dir="ltr"><<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>></span>

wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div style="word-wrap:break-word">

<div id="m_5086856675268783911bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">

Hi Roland, </div>

<div id="m_5086856675268783911bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">

<br></div>

<div id="m_5086856675268783911bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">

OK - I am happy to do give that a try. I also like the idea.</div>

<br>

<div id="m_5086856675268783911bloop_sign_1493836447105759232" class="m_5086856675268783911bloop_sign">

<div><br></div>

<div>-------</div>

<div>Dominick Baier</div>

</div>

<div>

<div class="h5"><br>

<p class="m_5086856675268783911airmail_on">On 3. May 2017 at

17:47:29, Roland Hedberg (<a href="mailto:roland@catalogix.se" target="_blank">roland@catalogix.se</a>) wrote:</p>

<blockquote type="cite" class="m_5086856675268783911clean_bq">

<div style="word-wrap:break-word">

<div><span>Dominick,</span>

<div><span><br></span></div>

<div><span>as I said in a discussion with William the other day.

I’m not sure there will be a performance issue if you where to

run</span></div>

<div><span>against the OIDF test server. Most of things happening

are network based events so the load on the machine is

minor.</span></div>

<div><span>The only thing we might have a problem with is the size

of the log files vs the available disc space.</span></div>

<div><span>But rotating the logs should take care of

that.</span></div>

<div><span>Now, there are reasons why you may want to this locally

and as Hans wrote in another mail he’s working on making that

easier.</span></div>

<div><span>The bottom line being that there is absolutely no reason

why you wouldn’t include the test suite into your

continues-integration pipeline :-) :-)</span></div>

<div><span><br></span>

<div>

<blockquote type="cite">

<div><span>3 maj 2017 kl. 07:46 skrev Dominick Baier via

Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.<wbr>net</a>>:</span></div>

<span><br class="m_5086856675268783911Apple-interchange-newline"></span>

<div>

<div id="m_5086856675268783911bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;margin:0px">

<span>> Incidentally, one of the cool things about how we

implemented these tests in AppAuth, is that we

actually <b>built them into our continuous-integration testing

pipeline</b>. </span></div>

<div id="m_5086856675268783911bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;margin:0px">

<span><br></span></div>

<div id="m_5086856675268783911bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;margin:0px">

<span>I thought about this too - but I actually didn’t want to

produce load all the time I am doing a check-in into the repo. I

added a test runner to the source code, so anyone can manually

start the tests when needed.</span></div>

<span><br style="font-family:Helvetica,Arial;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">

</span>

<div id="m_5086856675268783911bloop_sign_1493822708417135872" class="m_5086856675268783911bloop_sign" style="font-family:Helvetica,Arial;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">

<div><span><br></span></div>

<div><span>-------</span></div>

<div><span>Dominick Baier</span></div>

</div>

<span><br style="font-family:Helvetica,Arial;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">

</span>

<p class="m_5086856675268783911airmail_on" style="font-family:Helvetica,Arial;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">

<span>On 1. May 2017 at 18:55:08, William Denniss via

Openid-specs-ab (<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.<wbr>net</a>)

wrote:</span></p>

<blockquote type="cite" class="m_5086856675268783911clean_bq" style="font-family:Helvetica,Arial;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">

<div>

<div>

<div dir="ltr">

<div><span><span>Sorry we didn't get a chance to talk in Chicago on

this topic Mike, my trip was all too brief. I'll be around this

week though, hopefully we can discuss this with the relevant

parties.<br></span></span></div>

<div><span><br></span></div>

<div><span>As of yesterday, AppAuth for iOS and macOS is

now<span class="m_5086856675268783911Apple-converted-space"> </span><a href="https://github.com/openid/AppAuth-iOS/pull/101" target="_blank">passing</a><span class="m_5086856675268783911Apple-converted-space"> </span>all but

those 4 signature verification tests in the "code" profile. I'm

preparing the certification packet, once we have a final decision

on the optionality of those tests, I'm hoping to

certify.</span></div>

<div><br></div>

<div>Incidentally, one of the cool things about how we implemented

these tests in AppAuth, is that we actually<span class="m_5086856675268783911Apple-converted-space"> </span><b>built

them into our continuous-integration testing pipeline</b>. The

conformance tests run alongside our unit tests for every release,

and every git push. The certification log output is automatic too,

meaning anyone can run the certification tests and produce the same

output at the click of a button.</div>

<div><br></div>

<div>I think this is a huge value-add for the RP certification

program. Previously we only had unit tests in the library, no

end-to-end tests due to the fact we didn't have an OP with

interaction-less responses that we could use for automated testing.

The RP certification program has made this available, and by using

it, our test coverage is vastly improved.</div>

<div><br></div>

<div>Thank you Roland, Mike, the Foundation and everyone who is

working on this, it's a very valuable effort!</div>

<div><br></div>

<div>Best,</div>

<div>William</div>

<div><br></div>

<div><br></div>

</div>

<div class="gmail_extra"><br>

<div class="gmail_quote">On Sun, Mar 26, 2017 at 1:29 PM, Mike

Jones<span class="m_5086856675268783911Apple-converted-space"> </span><span dir="ltr"><<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@<wbr>microsoft.com</a>></span><span class="m_5086856675268783911Apple-converted-space"> </span>wrote:<br>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">

<div lang="EN-US" link="blue" vlink="purple">

<div class="m_5086856675268783911m_3647925707323825383WordSection1">

<p class="MsoNormal"><span style="color:rgb(0,32,96)">One thought

is that this maybe should depend upon how the RP registers. 

If it registers with support for signature algorithms, then that

support should be tested – even for response_type=code.  If it

registers only with support for “alg”: “none”, then it obviously

can’t be tested then.</span></p>

<div><span style="color:rgb(0,32,96)"> </span><br class="m_5086856675268783911webkit-block-placeholder"></div>

<p class="MsoNormal"><span style="color:rgb(0,32,96)">My logic is

that if the RP can check signatures, the OP provides a bad

signature, and the RP doesn’t catch it, that seems like a scenario

what shouldn’t pass certification.  Let’s talk about this in

person in Chicago this week.  I’d love to hear what others

think about this as well.</span></p>

<div><span style="color:rgb(0,32,96)"> </span><br class="m_5086856675268783911webkit-block-placeholder"></div>

<p class="MsoNormal"><span style="color:rgb(0,32,96)">                              <wbr>                        <span class="m_5086856675268783911Apple-converted-space"> </span>--

Mike</span></p>

<p class="MsoNormal"><a name="m_5086856675268783911_m_3647925707323825383__MailEndCompose" id="m_5086856675268783911m_3647925707323825383__MailEndCompose"><span style="color:rgb(0,32,96)">

 </span></a></p>

<p class="MsoNormal"><b>From:</b><span class="m_5086856675268783911Apple-converted-space"> </span>Openid-specs-ab

[mailto:<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounce<wbr>s@lists.openid.net</a>]<span class="m_5086856675268783911Apple-converted-space"> </span><b>On

Behalf Of</b><span class="m_5086856675268783911Apple-converted-space"> </span>William

Denniss via Openid-specs-ab<br>

<b>Sent:</b><span class="m_5086856675268783911Apple-converted-space"> </span>Sunday,

March 26, 2017 11:13 AM<br>

<b>To:</b><span class="m_5086856675268783911Apple-converted-space"> </span><a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.<wbr>openid.net</a><br>

<b>Subject:</b><span class="m_5086856675268783911Apple-converted-space"> </span>[Openid-specs-ab]

RP Tests: ID Token signature validation for code flow</p>

<div>

<div class="m_5086856675268783911h5">

<div> <br class="m_5086856675268783911webkit-block-placeholder"></div>

<div>

<p class="MsoNormal">Regarding the<span class="m_5086856675268783911Apple-converted-space"> </span><a href="https://rp.certification.openid.net:8080/list?profile=C" target="_blank">'code' response type tests</a>, my understanding is that

it's not necessary to validate the ID Token signature as it was

obtained via a HTTPS connection to the OP.</p>

<div>

<div> <br class="m_5086856675268783911webkit-block-placeholder"></div>

</div>

<div>

<p class="MsoNormal">This test follows that logic:</p>

<div>

<p class="MsoNormal">rp-id_token-sig-none</p>

</div>

<div>

<div> <br class="m_5086856675268783911webkit-block-placeholder"></div>

</div>

<div>

<p class="MsoNormal">However, these 4 tests assume signature

validation for the code flow:</p>

</div>

<div>

<p class="MsoNormal">

rp-id_token-kid-absent-single-<wbr>jwks<br>

rp-id_token-kid-absent-multipl<wbr>e-jwks<br>

rp-id_token-bad-sig-rs256<br>

rp-id_token-sig-rs256</p>

</div>

</div>

<div>

<div> <br class="m_5086856675268783911webkit-block-placeholder"></div>

</div>

<div>

<p class="MsoNormal">Can they be made optional for the 'code'

response type tests?</p>

</div>

<div>

<div> <br class="m_5086856675268783911webkit-block-placeholder"></div>

</div>

</div>

</div>

</div>

</div>

</div>

</blockquote>

</div>

<br></div>

______________________________<wbr>_________________<span class="m_5086856675268783911Apple-converted-space"> </span><br>

Openid-specs-ab mailing list<span class="m_5086856675268783911Apple-converted-space"> </span><br>

<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.<wbr>net</a><span class="m_5086856675268783911Apple-converted-space"> </span><br>

<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/<wbr>mailman/listinfo/openid-specs-<wbr>ab</a><span class="m_5086856675268783911Apple-converted-space"> </span><br>

</div>

</div>

</blockquote>

<span style="font-family:Helvetica,Arial;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">______________________________<wbr>_________________</span><br style="font-family:Helvetica,Arial;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">

<span style="font-family:Helvetica,Arial;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">

Openid-specs-ab mailing list</span><br style="font-family:Helvetica,Arial;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">

<a href="mailto:Openid-specs-ab@lists.openid.net" style="font-family:Helvetica,Arial;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank">Openid-specs-ab@lists.openid.<wbr>net</a><br style="font-family:Helvetica,Arial;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">

<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" style="font-family:Helvetica,Arial;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank">http://lists.openid.net/<wbr>mailman/listinfo/openid-specs-<wbr>ab</a></div>

</blockquote>

</div>

<br></div>

</div>

</div>

</blockquote>

</div>

</div>

</div>

<br>

______________________________<wbr>_________________<br>

Openid-specs-ab mailing list<br>

<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.<wbr>net</a><br>

<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/<wbr>mailman/listinfo/openid-specs-<wbr>ab</a><br>

<br></blockquote>

</div>

<br>

<br clear="all">

<div><br></div>

--<br>

<div class="gmail_signature" data-smartmail="gmail_signature">

<div dir="ltr">

<div>

<div dir="ltr">

<div dir="ltr">

<div style="font-size:small"><a href="mailto:hans.zandbelt@zmartzone.eu" target="_blank">hans.zandbelt@zmartzone.eu</a></div>

<div style="font-size:small">ZmartZone IAM - <a href="http://www.zmartzone.eu" target="_blank">www.zmartzone.eu</a><br></div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div></div></span></blockquote></body></html>