[Openid-specs-ab] Spec Call Notes 5-Jul-18

Thu Jul 5 14:53:01 UTC 2018

Spec Call Notes 5-Jul-18

Mike Jones
Brian Campbell
Nat Sakimura

IETF Updates
              OAuth AS Metadata is finally RFC 8414
                           This unblocks the errata process
              Security Event Token (SET) should be RFC 8417 any day
                           This will unblock back-channel logout finalization

Potential iOS Changes
              Vittorio Bertocci organized a meeting at Identiverse about the topic
              Brian reported that the decision was that Vittorio was going to draft a response to Apple
              He posted a draft to the mailing list for working group review
                           See "[Openid-specs-ab] ITP2 response draft" sent on July 3rd

Security corner cases
              Nat discussed some security corner cases disclosed by our German security researcher friends to FAPI
              Nat will file an issue about one of them

Certification
              We are launched the Form Post Response Mode certification profiles at Identiverse
                           Some people have already tested the tests

New RP Libraries
              Roland Hedberg released the Python JWTConnect libraries, which uses 4 GitHub projects
                           https://github.com/openid/JWTConnect-Python-CryptoJWT
                           https://github.com/openid/JWTConnect-Python-OidcMsg
                           https://github.com/openid/JWTConnect-Python-OidcService
                           https://github.com/openid/JWTConnect-Python-OidcRP
              See the README.md files in each project
              We've created a jwtconnect.io site as a documentation home for the JWTConnect libraries
                           Content still needs to be created for it

Open Issues
              See https://bitbucket.org/openid/connect/issues
              There are no new issues

OAuth JAR
              The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR) https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-16
              Nat is going to ask the chairs and area director to send the OAuth JAR specification to the RFC Editor
              OAuth JAR doesn't require duplication of parameters such as scope, which Connect does to conform to RFC 6749
              Brian reported that Ping's implementation does duplicate the parameters

OAuth PoP Key Distribution
              People are encouraged to participate in the thread "[OAUTH-WG] PoP Key Distribution"

Federation Specification Review
              Please review the OpenID Connect Federation specification, per
                           http://openid.net/2018/06/08/public-review-period-for-openid-connect-federation-specification-started/

Next Call
              The next call is Monday, July 9th at 4pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180705/0602cbf4/attachment.html>