[Openid-specs-ab] Spec call notes 10-Mar-14

Mike Jones Michael.Jones at microsoft.com
Tue Mar 11 00:02:25 UTC 2014


Spec call notes 10-Mar-14

Mike Jones
Nat Sakimura
Edmund Jay
John Bradley

Agenda:
               Verifying PBES2 sample
               Resources for Developers
               Open Issues
               Errata
               Interop

Verifying PBES2 sample
               Edmund found what may be bug in the PBES2 sample at http://tools.ietf.org/html/draft-ietf-jose-json-web-key-22#appendix-C
                              The authentication tag value appears to be wrong
               Mike will follow up

Resources for Developers:
               Nat plans to create a WordPress page for developers today
                              He plans to edit http://openid.net/developers/libraries/
               Mike will review it after that
               Matias Woloski's blog post listed several JOSE and JWT implementations too
                              http://blog.auth0.com/2014/02/26/openid-connect-final-spec-10/
               We'll eventually add a link to developer content on openid.net, once the page is more complete

Open Issues:
               #920 - Attack identified against self-issued "sub" values
                              We will use a hash of a standard JWK value as the sub value
                              In alphabetical order, including "kty"
                              John suggested writing this up as a standard JWK fingerprint mechanism
                                             Exclude all the optional fields
                                             Maybe pass it by James for a friendly review
                                             Mike will write this up as a very short I-D
                              After that's been reviewed for a bit, we should apply that as errata to #920

               #879 and #880 - self-issued.me hosting
                              John did these before the launch
                              John will try to register keys for Mike and Nat to access the site as well
                              We also need to back this image up

               Issue #915 - Session 4.2 - Computation of OP session_state in the IdP requires origin URI
                              John is not convinced that using the redirect_uri would actually always work
                                             The "changed" message needs to be addressed to a JavaScript origin
                              This issue seems to need more discussion

Errata:
               If people have additional errata, they should send it to the list

Interop:
               Mike has a bunch of follow-up to do with Roland about interop test cases
               The GEANT project contact behind Roland's code is Licia Florio <florio at terena.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140311/69e7cc0a/attachment.html>


More information about the Openid-specs-ab mailing list