[Openid-specs-ab] Spec call notes 3-Apr-17
Mike Jones
Michael.Jones at microsoft.com
Tue Apr 4 00:04:44 UTC 2017
Spec call notes 3-Apr-17
Nat Sakimura
Rich Levinson
Mike Jones
Edmund Jay
Agenda
Open Issues
Implementer's Drafts
IETF Recap
AOB
Next Call
Open Issues (at https://bitbucket.org/openid/connect/issues?status=new&status=open)
#1010: Create a Threat Document about the Misuse of OAuth
Mike gave the invited talk "JOSE/JWT Security Update" to the SecEvent and OAuth working groups
https://www.ietf.org/proceedings/98/slides/slides-98-secevent-josejwt-security-update-00.pdf
Kathleen Moriarty and Yaron Sheffer asked us to write at JWT BCP
Torsten's OAuth Security Topics draft is an OAuth WG document
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-02
We talked about possibly writing a blog post for oauth.net
#1011: session management draft 28
These are editorial. Mike will propose text as part of the errata process.
#1012: Back-Channel Logout 1.0 - draft 04
Talks about the endpoint needing to be reachable. This seems like a requirement for communication.
The "keeping track" language should be applied to Front-Channel Logout as well, as others also noted.
Implementer's Drafts
We now have Implementer's Drafts of all three logout specs. This was announced at:
http://openid.net/2017/03/28/openid-connect-logout-implementers-drafts-approved/
As a result of the Implementer's Draft review, comments on the drafts were received from
Filip Skokan, Axel Nennker, Nat Sakimura, Torsten Lodderstedt, James Manger, Tom Jones, Phil Hunt, and Mike Jones
We will go through them and use this feedback to improve subsequent drafts
At least one working group member was surprised by aspects of the Implementer's Draft approval process
Don Thibeau suggested that we write a FAQ about how working groups work
This will both be useful for new working group members and new working group chairs
It's in everyone's interest to prevent any surprise or confusion in the future
IETF Recap
Kathleen Moriarty and Yaron Sheffer asked us to write at JWT BCP
Mike Jones and Dick Hardt volunteered to work on this
Current SET discussions were reviewed with the working group
See https://www.ietf.org/proceedings/98/slides/slides-98-secevent-token-draft-issues-00.pdf
People may want to participate in this WG https://datatracker.ietf.org/wg/secevent/about/
Both because of Back-Channel Logout and implications for JWTS
(Plus RISC has a dependency on SecEvent as well)
Brian Campbell's Mutual TLS Client draft was discussed in OAuth
https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth
This didn't seem to reach any particular conclusion
Nat will follow up with Brian, since FAPI has time-critical interest in this
AOB
Nat requested that Mike go through the list of moderated messages on openid-specs-ab
Nat requested material for the ISO/IEC liaison report
Next Call
The next call is scheduled for 7am Pacific Time on Thursday, April 13th - per the calendar at http://openid.net/wg/connect/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170404/491b698c/attachment.html>
More information about the Openid-specs-ab
mailing list