[Openid-specs-ab] Spec call notes 23-Feb-15

Tue Feb 24 02:45:34 UTC 2015

My point was not that audience was not needed, but rather that it could be a different audience to differentiate between the login and sign out tokens.
That WAY the sign out tokens would not be accepted as login tokens.   eg the logout_uri rather than the client_id as a posable example.

John B.

> On Feb 23, 2015, at 6:32 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:
> 
> Spec call notes 23-Feb-15
>  
> Nat Sakimura
> Mike Jones
> Brian Campbell
> Edmund Jay
> John Bradley
>  
> Agenda
>                Use of Pragma: no-cache in Form Post Response Mode
>                Logout
>                Certification
>  
> Use of Pragma: no-cache in Form Post Response Mode
>                Brian believes the only change needed is to remove the "Pragma: no-cache"
>                He believes that "Cache-Control: no-store" also performs a "Cache-Control: no-cache"
>                               Mike will confirm this
>                Then Mike will make the change and update the blog post
>                Later in the call, Brian pointed out that we should have normative text about not caching the result
>                               He will propose a sentence to add
>  
> Logout
>                When using the Session ID on the front channel, you're only picking from among those that are live in the browser
>                An alternative to putting "sid" and "iss" as query parameters is to them in a JWT
>                               But it should not be a legal ID Token, so perhaps shouldn't have a subject
>                               John pointed out that we should at least consider whether an audience would be needed
>                John will be working on a back channel logout spec also using the Session ID
>                               We should try to have these be as close to one another as reasonably possible
>                               He's on his way to Barcelona for MWC, so this may not happen for a bit
>                People agreed that the differentiation between image and iframe GETs must happen at registration time
>                The query parameters still need to be reviewed
>  
> Certification
>                Roland now has testing up on the Symantec hosts
>                A team member of Roland's created an OP self-registration page at https://op.certification.openid.net:60000/ <https://op.certification.openid.net:60000/>
>                               When you select dynamic configuration, the answer to the first question is the issuer path (this isn't obvious)
>                               Mike will file some bugs on clarifying how the tool works
>                People doing testing should migrate over to the official server
>                This also means that Roland can now also put up the RP tests
>                Breno should be getting back to us within a week or so on how long it will take them to create a conforming implementation
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab <http://lists.openid.net/mailman/listinfo/openid-specs-ab>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150223/8b0f5c47/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4326 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150223/8b0f5c47/attachment.p7s>