[Openid-specs-ab] Qs and Cs on the front channel logout spec

[Nat Sakimura]

Hi

I have a few questions/comments about the front-channel logout spec. Sorry
to pose it this late. I was too busy on getting fapi out, which has rather
short deadlines to be meaningful. These issues could be dealt with during
the next iteration. If you want, I can file them in the issues list.


# NS1 Introduction improvement
As a rationale for this specification, the introduction states "other
protocols..." but that is not good enough.
It should state under what scenario, using this specification is a better
solution.

# NS2 Too many passive voices
It is always better to avoid passive voices. Trying to write sentences with
Subject-verb-object would make it clearer, especially when you think about
translating it into other languages.

# NS3 The creator of the `sid` unclear
>From a quick read (sorry, I did not have time to read it till now), I was
not sure who creates the `sid`.
It should probably be explicitly written.

# NS4 State who creates the iframe in what page under what scenario clearly
We can guess, but it should be explicitly stated as a speciation.

# NS5 Iframe examples, please
Related to NS4, please add an example

# NS6 Security consideration too terse
Since `sid` is optional, it should state the risk of not using `sid`. Why
did we make `sid` optional?
Can RP require `sid` to be there to be valid? If so, how?
If it is not, what happens if a rogue site starts calling the logout URIs?
Is it not better to send a signed secevent token instead?
-- 

Nat Sakimura

Chairman of the Board, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170403/41e6603b/attachment.html>