[Openid-specs-ab] Spec call notes 4-Aug-16

Mike Jones Michael.Jones at microsoft.com
Thu Aug 4 15:16:46 UTC 2016 

Spec call notes 4-Aug-16

Mike Jones
George Fletcher
John Bradley
Phil Hunt
Nat Sakimura

Agenda
              Initial EAP Drafts
              Back-channel logout edits to use ID Events
              Signed federation metadata and the Federation spec
              Certification Status

Initial EAP Drafts
              The initial EAP drafts were adopted
              People are encouraged to review them

Back-channel logout edits to use ID Events
              Phil: An ID Event is logically a statement of fact
              In the logout event, the "sub" is the account identifier relative to the issuer
              The "sid" claim may further specify the entity being acted upon
              Ping has a case in which only the "iss" and "sid" information are needed
              John put forward a thought experiment about events where the RP is the issuer of the event
                           Mike: We have existing practice for this - using an ID Token as the ID Token hint
              George wants things to be explicit, including possibly double signing, when needed
                           Mike: Microsoft wouldn't ever do the double signing when not needed
              George: Implicit logic ends up hurting you in the end
                           George asked whether we want a flag in the event to say that the issuer of the event is the issuer of the subject
                           Mike: A flag isn't necessary since the contents of the message are information enough
                           John: Only if the scope of the subject is different, would you want to add some kind of context claim
              Phil: Mentioned the idea of the subject domain
              Phil: The issuer is always the one that signs it
              Phil wants top-level ID Event claims to be only about the event object and not about event parameters
                           He wants claims about the event to be event parameters
              Mike: In some cases, the "sub" claim is not required
              The "sub" claim is not required in a JWT (Phil thought it was)
              John: We could put the subject in an event parameter rather than at the top level
              Phil: Marius at Google convinced Phil that parsing is simpler if you don't batch unrelated events
                           In that case, claims about the event target could be at the top-level of the JWT
              George: If the subject of an event is an IP address, it should be able to be called "id_address" - not "sub"
              Mike: The logout event should use the same claims syntax as ID Tokens do
                           For instance, session IDs should always be in the "sid" claim - not a subject claim
              Mike: For context, Microsoft's identity code only has an ID Token parser - not a general JWT parser
                           Things will be much easier if we don't shuffle where the claims are and what they mean
              Phil concluded that we need to discuss some of these issues on the ID Events list

Signed federation metadata and the Federation spec
              People are encouraged to look at the signed metadata specified for AS metadata as it relates to the Federation spec
              See https://tools.ietf.org/html/draft-ietf-oauth-discovery-04 - the "signed_metadata" member

Certification Status
              We continue getting new OP certifications - most recently, CZ.NIC
              Roland has agreed to complete the RP certification code under contact with the OIDF
              We plan to launch RP certification by IIW
              Roland will do an RP certification tutorial at the pre-IIW OpenID Workshop
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160804/d5e590e8/attachment.html>

More information about the Openid-specs-ab mailing list