[Openid-specs-ab] Spec call notes 22-Dec-16

Thu Dec 22 17:26:02 UTC 2016

Resending…

From: Mike Jones<mailto:Michael.Jones at microsoft.com>
Sent: Thursday, December 22, 2016 8:18 AM
To: openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Subject: Spec call notes 22-Dec-16

Spec call notes 22-Dec-16

John Bradley
Mike Jones
Brian Campbell
Rich Levinson

Agenda
              Certification Update
              Logout
              OAuth Threats Paper
              Prateek's E-mail on Certification Requirements
              Open Issues
              Next Call

Open Issues
              #1004 Core 8.1 Pairwise identifier algorithm and native apps
                           We discussed that custom scheme URIs can include hostnames
                           It is possible to register a sector identifier that refers to your custom schemes
                           Assigned to John to discuss registering sector identifiers for this case

Certification Update
              We now have three RP certifications registered, with more expected shortly
              Yahoo! Japan has certified their OP
              Verizon has certified their OP
              We will discuss new certification profiles in January

Logout
              Mike needs to update Backchannel Logout to use the current version of the ID Events spec
              After that, we should have an Implementer's Draft vote

OAuth Threats Paper
              Rich brought up the paper by Chinese researchers on OAuth threats
                           "Exploiting OAuth 2.0 Protocol in Mobile Applications"
                            https://www.enisa.europa.eu/publications/info-notes/exploiting-oauth-2-0-protocol-in-mobile-applications
              John has interacted with them to some extent
              The problem is that people are doing things beyond what the OAuth and Connect specs describe
                           In fact, many of the things described are precluded by the specs
              John believes that Google is planning communication to their developers on this topic
              John said that we could document a pattern on this that can then be secured and is testable
                           This would involve RPs being OAuth Servers to protect their APIs
              John had also raised this at the IETF OAuth meeting
                           Not much interest was expressed there
                           In fact, some people felt that documenting an arguably bad practice would be counterproductive
              Brian said that people that don't check signatures aren't likely to adopt new specs anyway
              Brian said that we should try to discourage large providers from promoting this pattern
              John said that this pattern also often involves use of proprietary APIs, such as custom introspection endpoints
              Mike asked if there was a public blog post or other document responding to this that we could refer people to
                           John said that William Denniss is supposed to be working on one
                           John will follow up with William about this
              John said that Ping is also planning developer communications on this topic

Prateek's E-mail on Certification Requirements
              Mike had responded to the e-mail saying that the test tool displays the mandatory tests for each response type
              Rich hoped there would be links from the tests to mandatory spec language
                           Mike said that this is present in the RP Certification suite
                           Mike agreed that it would be good to add this to the OP Certification software
              Mike will document the color coding on the list

Next Call
              Our next call is Thursday, Jan 5, 2017 at 7am Pacific
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20161222/fe0cbeb8/attachment.html>