[Openid-specs-ab] Special OpenID Connect call for Certification lockdown decision 23-Mar-15

Mike Jones Michael.Jones at microsoft.com
Mon Mar 23 15:18:18 UTC 2015


Special OpenID Connect call for Certification lockdown decision 23-Mar-15

John Bradley
Mike Jones
Justin Richer
Garyl Erickson
Brian Campbell
Nat Sakimura
Ian Glazer
Robert Wegmann
George Fletcher
Roshni Chandrashekhar

Agenda
               Open Issues
               Misc
               What's left to do?
               What does lockdown mean?
               Next Steps
               Past the first certification round

Open Issues
               #82: Configuration does not get modified when changing from dynamic to static discovery
                              Not critical to certification
               #33: Giving a login hint (OP-H-03) Test falls into indeterminate state with error on our side
                              Resolved
               #84: Test Traces ONLY refer to last test run
                              Resolved
               #101: no idea what happened but something went wrong with a new instance created at OpenID Certification OP Test Tool Configuration
                              Roland said that the database of implementers was getting corrupted
                              Roland thinks that he knows what the cause was
                              There are usability problems reaching the initial test page
                              This is not necessarily critical to the lockdown since people have working (sometimes manually edited) configurations
               #100: OP test server not including intermediate certificate.
                              This working now, even though it's returning the root cert
                              We'll leave this alone
                              (This still needs to happen for the RP test server)
               #123: redirect_URI tests still reporting wrong results.
                              For OP-redirect_uri-Missing, John's test is returning 400 as it should to a page shown
                                             but the page is showing a red circle after hitting back
                              The log says partial result but the page shows a red circle for John and a question mark for Brian
                              Mike will add instructions about ignoring the result to testers
                              Roland will hard-code the partial result for a specific set of tests
                                             He will send the list out for review before doing the hard-coding
               #127: [OP-redirect_uri-RegFrag] - Server returns error, test doesn't recognize it
                              Roland will fix this one
               #111: OP-IDToken-SigEnc (Signed and encrypted ID Token) Test is unable to decrypt ID Token for certain response_type requests
                              "kid": null appears to be an error in Edmund's code

Misc
               Robert has been testing Basic with alg:none and is happy with the result

What's left to do?
               Rollover -> Rotation (to match the spec)
               Rollover should not be listed as [Config]
               Everything appears to be captured in the tracker, other than what's in the notes
               Short form instructions need to be written

What does lockdown mean?
               None of the code paths for any certification profile get touched without a working group decision to do so
               Stuff that's independent, such as encryption tests, can continue to be developed
               Anything risky should happen in a branch
               Once we announce that we are accepting results, we will accept them even if the tests are incomplete/wrong at the time of testing

Next Steps
               Roland fixes the few bugs discussed today
               Mike edits the English strings a little more
               Have Don send the timeline mail to the working group
                              Submissions are due on the Monday the 13th - a week before RSA
               We send a message WG and testers saying we will now accept results
               Mike creates the closed-form instructions
                              Filenames for each profile of log files and image captures
                              List of things that are self-asserted
                              The working group reviews them

Past the first certification round
               RP testing is more difficult than OP testing
               The test tool can't see what the RP does as a result of the responses
               There will be a lot more screen shots in this case
               Roland and team has constructed an OP that will behave differently based on the components of the path
                              Logically these are all different OPs that the RP uses
               Edmund had suggested just putting the test ID in the paths
                              Roland will write up possibilities to the list for us to review
               For RP testing, the min-bar requires understanding .well-known/openid-configuration files
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150323/5e9501ac/attachment.html>


More information about the Openid-specs-ab mailing list