[Openid-specs-ab] Spec call notes 19-Feb-15
Mike Jones
Michael.Jones at microsoft.com
Thu Feb 19 16:16:25 UTC 2015
Spec call notes 19-Feb-15
Roland Hedberg
Justin Richer
Mike Jones
Brian Campbell
Edmund Jay
John Bradley
George Fletcher
Nat Sakimura
Agenda
Certification
Logout
OpenID Workshop on April 6
Certification
Roland managed to install all the software on the Symantec hosts
We're missing the private keys for the certificates that they provided yesterday
Don will be seeing them in 3 hours again and Mike and Roland will join them on a call
Mike created initial certification pages at http://openid.net/certification/
He asked people to review the content
More specific submission instructions (including filenames, etc.) still need to be created
Mike asked about the status of the dynamic registration tests
Edmund wondered whether we need more tests for error cases, where the OP doesn't support things
For instance, what if the client wants public subject values, but the OP can use pairwise values
What actually will be done will be returned in the registration response
People can propose tests but we won't do everything in phase 1 - some will come later
Don had asked when we are going to lock down the test content and instructions
We will do that a month before RSA
Roland will put up the RP tests once rp.certification.openid.net is working
Logout
Mike posted two drafts of an HTTP GET based logout spec
The second adds an id_token query parameter that is optional
Microsoft engineers pointed out that there are security reasons not to pass an ID Token as a query parameter
John said that Google is interested in a back channel push logout to the relying party
Mike pointed out that there would need to be a session identifier for that to work
Google would put it in the ID Token
They want to make it more useful for SAAS providers
John and Adam are writing that up
The front channel doesn't help you if you've lost your device
The Microsoft people pointed out they do cascading logouts with iframe gets
They do image GETs to end nodes but iframe GETs to STSs
John said that image GETs tend to be more parallelizable and reliable
George asked whether it was an option to use CORS support
That would let you use POSTs
The problem with that is the browser will execute those sequentially
John suggested that using an actual session ID is safer
Let's use "sid" for the session identifier claim
John said that Google had a different idea for what claim to use, but didn't remember what it was
Virtual Device User Identifier
Something that identifies an OP device/user agent pair
Brian talked about the distinction between information usable as a session versus session identifiers
John said that the session ID may be persistent
SAML used SessionIndex for the same concept
OpenID Workshop on April 6
https://openid-mar-2015.eventbrite.com
We have the room all day
We're currently scheduled to start at 11:00
George has some proposals from working groups but not all of them
Mike was wondering whether we'll actually need to start earlier, such as 10:00
George will create an initial agenda and send it out for review
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150219/12ce3658/attachment.html>
More information about the Openid-specs-ab
mailing list