[Openid-specs-ab] Certification of your relying party software
Henrik Biering
hb at peercraft.com
Mon Jan 9 00:21:47 UTC 2017
+1!
Den 08-01-2017 kl. 16:40 skrev Mike Schwartz via Openid-specs-ab:
>
> Just my $.02. I know I said this before...
>
> We want client developers to certify their code! I think RP testing
> should be permanently free. The few bucks it's going to bring in are
> not material compared with the benefit to the community of better
> libraries and deployments.
>
> What we're seeing at Gluu is that there is a lot of crappy client
> code. Also, we're seeing that a lot of developers are using OAuth2
> libraries, and not taking advantage of the security features of OpenID
> Connect.
>
> It seems the end-users of RP client code don't care that much if it's
> certified. They want ease of use. They want it to solve a problem.
>
> It's a weird dichotomy. We get raked over the coals by enterprise
> security departments on the Gluu Server OP. And then the client
> developers are using implicit flow and not even checking checking the
> state or id_token!
>
> Any fee will put a barrier to testing. We should give client
> developers who self-certify a medal--not charge them!
>
> - Mike
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
More information about the Openid-specs-ab
mailing list