[Openid-specs-ab] Spec call notes 10-Feb-14
Todd W Lainhart
lainhart at us.ibm.com
Tue Feb 11 15:07:30 UTC 2014
I'm sorry that I missed the discussion.
> Breno asked whether having RPs have logout notification
endpoints wouldn't work better in some cases
Our implementation augments the client registration spec with a
"signout_callback_uri" for this purpose.
Todd Lainhart
Rational software
IBM Corporation
550 King Street, Littleton, MA 01460-1250
1-978-899-4705
2-276-4705 (T/L)
lainhart at us.ibm.com
From: Mike Jones <Michael.Jones at microsoft.com>
To: "openid-specs-ab at lists.openid.net"
<openid-specs-ab at lists.openid.net>,
Date: 02/10/2014 06:55 PM
Subject: [Openid-specs-ab] Spec call notes 10-Feb-14
Sent by: openid-specs-ab-bounces at lists.openid.net
Spec call notes 10-Feb-14
John Bradley
Edmund Jay
Mike Jones
Agenda:
Connect Voting
Open Issues
Future Meetings
Session Management
Interactive Client Registration
Call Schedule
Connect Voting:
The voting tool will start the voting tomorrow
It will close two weeks from then
Open Issues:
#917 - space is deliminator while also a legal character in
client_id and session state
This seems like a problem we'll need to
address
Mike asked whether the postMessage character
set is ASCII or Unicode
If Unicode, we could use a
non-ASCII separator
Or we could use a different
ASCII character, such as Delete (0x7f)
More investigation seems like it's needed
#915 - Computation of OP session_state in the IdP requires
origin URI
Todd Lainhart is to propose specific text
#914 - Session 5 - Missing client_id parameter
This seems to need more discussion
#880 - Host the endpoint
https://self-issued.me/registration/1.0/
This is still on John's to-do list
Future Meetings:
Before IETF 89 in London
We have requested a room from noon-5
OpenID would take the first half, OAuth the
second
John will set up Eventbrite registration for
this
During RSA in San Francisco
Mike still needs to investigate this
possibility - probably after Friday's IETF submission deadline
Session Management:
Breno and Naveen had a conversation with John and Nat about
session management
They're concerned about RPs generating a lot of traffic at
IdPs
They believe that token caching is needed
Mike questioned what level of the specs this should happen
at, and what we need to do
Breno asked whether having RPs have logout notification
endpoints wouldn't work better in some cases
John brought up that some RPs might not want to have
JavaScript
Devices like Layer7 intermediary devices and
other may have problems injecting JavaScript into the HTML
Breno was also worried postMessage security vulnerabilities
This may mostly have to do with using
postMessage for authentication
All JavaScript widgets share the same
postMessage channel
For session management, we're only sending
"yes" or "no" so we're not leaking much information
Versus sending the ID Token via postMessage,
which would be a concern
Mike plans to try to talk with Breno and Naveen in person
this week about next steps
Interactive Client Registration
Google also discussed wanting to do dynamic client
registration for IMAP clients
This requires user interaction, which dynamic registration
doesn't currently support
As a side effect, they would like to also issue tokens
They liked the software statement idea
They only want to issue Client IDs to be created for
authenticated users
John will think about whether and how they can accomplish
this with our existing protocol flows
We think that this is possible
Call Schedule:
There's been no discussion about call times on the list so
far
We will continue with the weekly Thursday calls for now
People are encouraged to discuss what the right schedule is
on the list
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140211/7b1d084e/attachment.html>
More information about the Openid-specs-ab
mailing list