[Openid-specs-ab] Spec call notes 16-Nov-15
Mike Jones
Michael.Jones at microsoft.com
Tue Nov 17 00:20:20 UTC 2015
Spec call notes 16-Nov-15
Mike Jones
Edmund Jay
Brian Campbell
John Bradley
Nat Sakimura
Agenda
Call scheduling
Work we have outstanding
Open Issues
Certification
Call scheduling
The Monday call time is now 3pm Pacific due to the DST change
This conflicts with the RISC call every other week
We agreed to have the Monday call the days that RISC doesn't
We will have the 7am Pacific Thursday call the alternate weeks
Nat will update the calendar on the working group page
Work we have outstanding
Errata
3 logout specs
Fast Identity Verification
Certification
Open Issues
#968 - inconsistent treatment of id_token_hint
Mike needs to propose specific wording
#969 - Need clarity on session state variable
Assigned to John - He believes that there's a privacy reason for it
#970 - Core - 2 - ID Token acr claim incorrectly specifies the level 0 of assurance
John to propose new language
#973 - Core 2 / 3.1.3.7 - azp claim underspecified and overreaching
Mike to propose new language
#974 - Deprecated algorithm RSA1_5 used in spec examples and self-issued
Mike
#975 - Do we add additional related specifications?
Mike to do editing
#976 - Unregistered openid2_realm and openid2_id
Mike to do editing
#977 - How to handle an unsupported response_mode?
Mike to do editing
#978 - URL for errata
Mike to do editing
#979 - Discovery / Security Considerations: CSRF attack on user input identifier
In discussion - Assigned to John
#980 - Where else do we need to specify the use of CORS support?
Mike to do editing, based on issue comments
#981 - Session - Send SCIM based back channel logout info to the list
Informational - assigned to Nat
#982 - Error in JWT claim definitions for client authentication
Mike to apply fix
#984 - Create a document explaining "single logout" semantics
Informational - No owner currently
Perhaps should look at recent IIW notes from recent "What does logout mean?" session
#985 - Use Bearer in token_type in Implicit Flow response example
Mike to add comment
#986 - Core - 6.2 - Softening the 512 ASCII characters restriction
Mike to write clarifying text
Errata
All necessary actions captured as open issues
HTTP-Based Logout
We are renaming this to front-channel logout
Front-Channel Logout
We need people to think about whether the session ID is defined the right way or not
This may require implementation experience
May want to rename it to "session secret" to indicate that it is confidential
Back-Channel Logout
We need people to think about the session ID there as well
Fast Identity Verification
William submitted a draft
Google is apparently rethinking what email_verified means
It has always been a temporal result
Whether it was verified in the past or is authoritative now
Certification
Roland and Edmund demonstrated RP certification testing at IIW
OP certifications have come in
At the Tokyo summit, Nov Matake ran a hands-on certification session with about 25 people doing OP testing
Next Call
We will skip next Thursday due to US Thanksgiving
The next call will be Monday, November 30th at 3pm Pacific time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20151117/4363a082/attachment.html>
More information about the Openid-specs-ab
mailing list