<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:10.0pt;
margin-left:.5in;
mso-add-space:auto;
line-height:115%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
line-height:115%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
line-height:115%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:10.0pt;
margin-left:.5in;
mso-add-space:auto;
line-height:115%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:291516714;
mso-list-type:hybrid;
mso-list-template-ids:-521622224 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">December 1, 2016 OpenID Executive Committee Call Minutes<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Present:<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Don Thibeau, Executive Director<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Nat Sakimura<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Mike Jones<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">George Fletcher<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">John Bradley<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Adam Dawes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Visitors:<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Mike Leszcz, OpenID Foundation Staff<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Tom Smedinghoff, Locke Lord LLP<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.25in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;line-height:normal;mso-list:l0 level1 lfo1">
<![if !supportLists]><b><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span></b><![endif]><b>Executive Director’s Report<o:p></o:p></b></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Don sent a combined OpenID/OIX calendar for our review. We still need a host for the OpenID Summit before IIW on May 1<sup>st</sup>.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">We’ll be having board elections in January. The elections will be for two community members – for seats currently held by John Bradley and Mike Jones – and for the corporate
member position – for the seat currently held by Dale Olds of VMWare. Mike, as secretary, will work with Don and Mike Leszcz on the election schedule.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Don is planning for support infrastructure changes in 2017, which he will share with us at a future date.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.25in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;line-height:normal;mso-list:l0 level1 lfo1">
<![if !supportLists]><b><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span></b><![endif]><b>Certification Update<o:p></o:p></b></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Mike Jones reported on certification progress. Roland Hedberg has been working closely with both RP developers and Don, Mike Leszcz, and Mike Jones getting the RP Certification
program ready to launch. At this point, there are at least 4 tested RPs (by Hans Zandbelt, Edmund Jay, Filip Skokan, and Roland Hedberg) that can be part of the initial launch. We’ve also sent pings to Janrain and Google asking them to participate. We anticipate
RP Certification applications in December and a press release about certification progress during the RSA Conference (February 13th).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">OP Certifications continue coming in several per month. We now have over 100 certifications. Don added that this is introducing us to new communities, such as Red Hat and
Linux. Don also added that after all our work, it seems like we’ve gotten the pricing right.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Since the OP Certification launch, the testing code base has not stood still. Roland has made a number of improvements, some motived by the needs of the HEART. HEART’s testing
work is based on Roland’s updated code base – not the frozen one deployed at op.certification.openid.net. We anticipate more kinds of tests to also eventually be added, for instance, from MODRNA, iGov, EAP, etc. As discussed by executive committee members,
Roland, Justin Richer, and Debbie Bucci during CIS, the Foundation should have one unified certification suite that we expand to encompass these efforts – not a hodge-podge of different code bases that get increasingly out of sync with one another.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">The OpenID Connect working group sees the need for several new kinds of certification profiles, among them, form post response mode tests, refresh token tests and logout tests.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From a business perspective, we agreed with Roland for him to take over the remaining deliverables from the Umeå contract. He has completed (and been paid for) 2 of the remaining
3. The remaining $3000 for the final milestone will be paid after two RP Certification applications have been received.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Mike Jones and Don asked Roland to create a proposal with fixed-price deliverables needed to keep our certification program strong and to expand its scope to meet additional
developer needs. That proposal is attached. Mike discussed the need for the “Updating software version” deliverable and the two “Ongoing maintenance” deliverables. Mike also stated that he would review the other proposed deliverables for new tests with
OpenID Connect working group before reporting back to the EC on them.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">John pointed out that Justin Richer forked Roland’s code and is making changes to the fork. Mike reminded the EC of the discussion with Justin, Debbie, Roland, and the EC
held at CIS. In that discussion, from which notes were circulated and agreed to, the EC members made it clear that the foundation wanted to have a single certification test suite, which would be extended as needed to accommodate the needs for additional certification
tests. For instance, certification tests could be added for MODRNA, HEART, iGov, and EAP when their specifications and implementations reach appropriate levels maturity.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Of course, the test suite is open source software so anyone is free to use it in any way they see fit. But if enhancements are to be utilized as part of the foundation’s certification
offering, they will need to be merged back into the certification code base. Per the discussion at CIS, the EC encourages Justin and HEART to pursue their enhancements in a manner that will enable all OpenID Foundation working groups to benefit from them.
To be clear, if changes are being made that can’t be reintegrated, the EC agreed that that means that the authors are headed down a path that won’t lead to the software being used for OpenID Certification.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">John said that a goal should be that the set of tests should be able to be expanded by third parties. Mike said that he viewed that mostly as being a documentation issue.
Roland’s deliverables all include providing appropriate documentation so that others can use and maintain the software.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Mike reported that some of the enhancements made to the testing software since our certification launch have been to enable packaging it as a Docker container. Roland has
reported that private installations of the software are in production use by at least four sites, including by at least one OpenID Foundation sustaining member.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Nat asked how to manage our risks in case Roland is hit by a bus. Don and Mike reported that Roland already is committed to writing down sufficiently detailed instructions
such that others can do all the tasks that he does. This is part of the remaining deliverable from the existing contract. Mike pointed out that once these instructions are complete, it might be useful to have Hans Zandbelt or someone else try to use them
to validate that they are actually complete.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">We discussed approving the milestones in the new proposal to update the software to the current version and to perform ongoing maintenance. Don confirmed that we could pay
for this out of existing general funds. Don said that PayPal has rejoined at the board level, which gives us some budgetary space to do this.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">A decision was unanimously taken to fund updating the software version, ongoing maintenance from RP launch to RSA, and ongoing maintenance from RSA to IIW. Mike moved and
Adam seconded.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Mike will take the additional proposed tests and profiles to the OpenID Connect working group for their review. After that review, we can consider authorizing work on those.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Adam discussed that there have been a range of RP implementations deployed of varying quality, problems in some of which have recently made the news. Adam sees RP testing
as a tool to help improve the quality of RP deployments. When an RP is using a general-purpose library, we should definitely encourage them to be certified.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">John pointed out that some of the problems identified in the media are sites not even using OpenID Connect but using home-brew protocols. Our tests would not help in cases
where people aren’t even using Connect. In some of these cases, native apps sent ID tokens to a back-end and the back-end used them without validating the signature or audience.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Mike suggested that we move this discussion to the Connect working group. Nat suggested that a tiger team in the Connect WG be developed to make recommendations for use cases
such as these. John said that before we have tests for functionality, we need a standard for it.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.25in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;line-height:normal;mso-list:l0 level1 lfo1">
<![if !supportLists]><b><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">
</span></span></b><![endif]><b>BibXML for OpenID Specifications<o:p></o:p></b></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Axel Nennker has been talking to the xml2rfc folks about having authoritative BibXML files for OpenID specifications. Nat suggests that we offer authoritative BibXML files.
Nat said that we could collate the XML references already in our specs and offer them. Mike said that we already require openid.net/specs/ to be stable so we could create another stable location on openid.net, such as openid.net/bibxml/.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Nat moved that we create a committee to do this. John seconded. Mike offered to participate. The motion passed unanimously.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.25in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;line-height:normal;mso-list:l0 level1 lfo1">
<![if !supportLists]><b><span style="mso-list:Ignore">4.<span style="font:7.0pt "Times New Roman"">
</span></span></b><![endif]><b>FAPI WG Report and Implementer’s Draft Votes<o:p></o:p></b></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Nat reported that the FAPI WG will be requesting Implementer’s Draft votes for specs in about a week. John said that there are similar votes being considered for MODRNA and
iGov. Mike said that we should also have Implementer’s Draft votes soon for the Front-Channel and Back-Channel Logout specs soon, and that he would be discussing that in the Connect working group.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
</div>
</body>
</html>