[Openid-specs-ab] Spec call notes 12-Oct-15

Mon Oct 12 23:58:41 UTC 2015

Spec call notes 12-Oct-15

Mike Jones
Nat Sakimura
Edmund Jay
John Bradley

Agenda
                Tokyo workshop after IETF 94 Yokohama
                Workshop before IIW
                Name of the HTTP-Based Logout spec
                Strong Authentication Working Group Proposal
                Certification
                [Openid-specs-ab] Attacking OpenID Connect 1.0 - Malicious Endpoints Attack
                Use of Session ID in HTTP-Based and Back-Channel logout specs
                Open Issues

Tokyo workshop after IETF 94 Yokohama
                Presenters should send abstracts and bios to summit2015-info at openid.or.jp and Nat
                Mike will do a hands-on session to help people do certification

Workshop before IIW
                Roland will do demos during the workshop
                During IIW we will try to help more people do certifications

Name of the HTTP-Based Logout spec
                We will change the name to Front-Channel Logout, as proposed by Nov Matake

Strong Authentication Working Group Proposal
                Scope of work is expected to include defining a few ACR values and eventually use of token binding
                Nat thinks this makes sense and is willing to be a proposer
                That leaves one more proposer needed
                We need to clarify that defining using proof-of-possession in ID Tokens is in scope in the charter

Certification
                Edmund reported that Roland still needs to fix a few bugs for his RP tests to succeed
                                Roland expects to do that tomorrow
                Deutsche Telekom, Microsoft, Roland Hedberg, and Cal Heldenbrand of RESO added new OP certifications
                                See http://openid.net/certification/ and http://openid.net/2015/10/12/openid-connects-real-estate-identity/
                Verizon and Privo are also working on OP certifications

[Openid-specs-ab] Attacking OpenID Connect 1.0 - Malicious Endpoints Attack
                This is the subject of open issue #979
                We can spend time on this during IIW
                Mike pointed out in the multi-tenant case that you may not know the issuer until runtime
                                But that you can match on the jwks_uri to verify that the issuer is legal
                We should probably have a general discussion on security issues for multi-tenant implementations

Use of Session ID in HTTP-Based and Back-Channel logout specs
                In Front Channel, standalone identifier with enough entropy to uniquely identify a session
                In Back Channel, it identifies the User Agent or Device
                                John - Maybe we should just call them different things
                                John - The back channel one is more of a device/user agent identifier generated by the IdP
                                John - You want the back channel device identifier to be user specific
                                Nat - Maybe call it User Device Identifier ("udi")

Open Issues
                There are no new open issues
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20151012/9de9743b/attachment.html>