[Openid-specs-ab] Spec call notes 8-Dec-16
Mike Jones
Michael.Jones at microsoft.com
Thu Dec 8 21:17:24 UTC 2016
Spec call notes 8-Dec-16
Mike Jones
Nat Sakimura
John Bradley
Phil Hunt
George Fletcher
Brian Campbell
Roland Hedberg
Agenda
RP Certification Launch
New Certification Work
Implementer's Draft Votes
OpenID Connect Federation spec
Connect Errata
Open Issues
Next Call
RP Certification Launch
Mike reported that we are now ready to accept RP certifications
We will be counting on Hans, Edmund, Roland, etc. for initial submissions
John asked about testing AppAuth
Mike said that William and Adam have said that they want to test
We believe that it's highly in everyone's interest to do the testing and understand gaps
John will talk with William and Adam about making this happen
John talked about the thousands of apps that are insecure that do non-Connect OAuth-y things
Some of these profiles use "azp"
We would need an actual spec for handing ID Tokens to worker sites in order to test it
This is possible new work in the Connect WG
It's on the boundary between OAuth and Connect
George: There are lots of things people do that are worth documenting
Some of this stuff takes ID Tokens and treats them as access tokens
Some of this work would be to profile down what we already have
The OAuth Native Apps BCP is relevant https://tools.ietf.org/html/draft-ietf-oauth-native-apps
New Certification Work
We will be updating the software version
We will need volunteers to retest OPs
There will be new certification profiles for the WG to review
For instance form post response mode, refresh token, logouts
Mike will send the new profile definitions for the working group to review
Implementer's Draft Votes
We should have Implementer's Draft votes for the three logout specs soon
Mike needs to update the Back-Channel Logout draft to use the latest SecEvent syntax first
FAPI is almost ready to submit for votes as well
Nat (as WG chair) will get Mike (as secretary) the drafts and announcement text
OpenID Connect Federation spec
Roland reported that several people in the GEANT project are doing implementations in different languages
The plan is to do interop and test the theoretical model in reality
People wonder whether the key handling will be too complicated for administrators
Mike asked whether it is still asymmetric with one OP and multiple RPs
Roland said that it's now symmetric
People are happy that it supports multiple federations explicitly
Connect Errata
Mike still has a few edits to do
Eventually we will want to use the OAuth AS Metadata registry in our Discovery spec
Mike and Phil had a side conversation about moving the AS Metadata spec forward
Open Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open
#1000: Logout Token has wrong mandatory field (sub vs. jti)
Previously discussed. Now assigned to Mike.
#1002: Clarify meaning of exp claim in ID Token
Previously discussed. Now assigned to Mike.
#1003: Document possible impacts of disabling third-party cookies on front-channel logout
The working group is seeking more information on things that work and don't
#1004: Core 8.1 Pairwise identifier algorithm and native apps
The working group should look at this
#1005: Clarify "left truncated SHA-2 hash" in section on symmetric encryption
Editorial. Assigned to Mike.
#1006: Clarify text in Third Party Initiated Login
Mike will propose language
John pointed out that we need warning language about 3rd party logout due to the mix-up attack
Next Call
The call is scheduled for Monday at 3pm Pacific time but too many people will be on vacation
We will cancel that one
We will try to have the call on Thursday the 22nd in two weeks
We are also cancelling the call on December 26th
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20161208/0b9d759c/attachment.html>
More information about the Openid-specs-ab
mailing list