[Openid-specs-ab] Spec Call Notes 21-Jun-18

Mike Jones Michael.Jones at microsoft.com
Sat Jun 30 12:57:43 UTC 2018 

I was envisioning a spec that simply defines a new error code and registers it in the OAuth Extensions Error Registry<https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#extensions-error>.  Its normative contents would be something like this:

OAuth “error” Value:
              unable_to_meet_authentication_requirements
              The authentication performed did not meet the requirements of the requester.

In the non-normative parts of the spec, you could say that one place this new error code could be used was if an OpenID Connect “acr” is requested as an essential claim and its criteria could not be met.

This doesn’t rise to the level of incrementing the Connect version number or updating the entire spec.  In my view, that would send the wrong message to the marketplace.

You could do this simple spec pretty quickly.

                                                       -- Mike

From: Torsten Lodderstedt <torsten at lodderstedt.net>
Sent: Friday, June 29, 2018 10:44 PM
To: Mike Jones <Michael.Jones at microsoft.com>
Cc: Vladimir Dzhuvinov <vladimir at connect2id.com>; openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Spec Call Notes 21-Jun-18

What kind of new spec do you have in mind to add the error code, which is required to properly handle an error situation described in OpenId Connect Core? I would assume OpenID Connect 1.x?

Am 28.06.2018 um 12:28 schrieb Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>>:
Can you change a published RFC?  No.

Part of the OIDF maintaining its reputation as a professional standards body is to likewise safeguard the integrity of our final specifications.

I realize that writing a new specification to introduce new functionality may seem inconvenient but it’s ultimately the right thing to do.

                                                       -- Mike

From: Torsten Lodderstedt <torsten at lodderstedt.net<mailto:torsten at lodderstedt.net>>
Sent: Wednesday, June 27, 2018 8:14 PM
To: Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>>
Cc: Vladimir Dzhuvinov <vladimir at connect2id.com<mailto:vladimir at connect2id.com>>; openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Subject: Re: [Openid-specs-ab] Spec Call Notes 21-Jun-18

Even if the error code is obviously missing in the original spec?

Am 27.06.2018 um 07:31 schrieb Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>>:
Correct.  Just like the IETF, we don’t make normative changes to Final specifications.

The way to introduce a new error code is to write a new specification that does so.

                                                       -- Mike

From: Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net>> On Behalf Of Vladimir Dzhuvinov via Openid-specs-ab
Sent: Wednesday, June 27, 2018 8:26 AM
To: openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Subject: Re: [Openid-specs-ab] Spec Call Notes 21-Jun-18


My observation is that errata don't introduce new parameters, but are rather used to fix typos and clarify things.

Depending on how the errata get published - as part of the original spec or as separate doc - developers often fail to notice them :)

Vladimir

On 25/06/18 18:34, Torsten Lodderstedt via Openid-specs-ab wrote:

What about an errata?



Am 25.06.2018 um 16:31 schrieb Mike Jones <Michael.Jones at microsoft.com><mailto:Michael.Jones at microsoft.com>:



A new specification needs to be written.  We can't add new functionality to final specifications.



-----Original Message-----

From: Torsten Lodderstedt <torsten at lodderstedt.net><mailto:torsten at lodderstedt.net>

Sent: Monday, June 25, 2018 10:30 AM

To: Mike Jones <Michael.Jones at microsoft.com><mailto:Michael.Jones at microsoft.com>

Cc: openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>

Subject: Re: [Openid-specs-ab] Spec Call Notes 21-Jun-18



Hi Mike,



what needs to be done in order to bring Issue #1029 forward?



kind regards,

Torsten.



Am 21.06.2018 um 16:48 schrieb Mike Jones via Openid-specs-ab <openid-specs-ab at lists.openid.net><mailto:openid-specs-ab at lists.openid.net>:



Spec Call Notes 21-Jun-18



Mike Jones

Brian Campbell

George Fletcher

Bjorn Hjelm

John Bradley



George Fletcher's Native SSO Proposal

             George plans to produce an xml2rfc version of his Native SSO draft by the end of the week



Potential iOS Changes

             Vittorio Bertocci plans to have a meeting at Identiverse to discuss SSO and Apple's "Intelligent Track Protection" initiative



Federation Specification Review

             This review is under way

                          http://openid.net/2018/06/08/public-review-period-for-openid-connect-federation-specification-started/

             People are encouraged to review the draft



RISC Approval Vote

             The vote is open through June 29th

             Please participate at https://openid.net/foundation/members/polls/141



Certification

             We are launching the Form Post Response Mode certification profiles at Identiverse

                          We will have people test the tests at Identiverse



New RP Libraries

             We've created a jwtconnect.io<http://jwtconnect.io> site as a documentation home for the JWTConnect libraries

             Roland plans to create the Python github projects at https://github.com/openid before Identiverse



Open Issues

             See https://bitbucket.org/openid/connect/issues

             #1029: authentication_failed error response

                          No activity since last call

             #1030: Front & back-channel logout: require HTTPS URIs?

                          Vladimir is right.  Mike will make the change to require https URIs.



Unauthenticated Logout Requests

             George will file an issue proposing Security Considerations language about denial of service attacks using front-channel logout



Spec Progress

             We plan to take the three logout specs to final status soon

                          Please review them now

             The OAuth AS Metadata spec is in Auth48 so will probably finish this week

                          This will unblock the errata progress

             The Security Event Token (SET) spec is with the RFC editor and so should also finish soon

                          We want this to finish before making back-channel logout final



Next Calls

             We are cancelling the Monday, June 25th call because it is during Identiverse

             The next call is Thursday, July 5th at 7am Pacific Time

_______________________________________________

Openid-specs-ab mailing list

Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>

http://lists.openid.net/mailman/listinfo/openid-specs-ab










_______________________________________________

Openid-specs-ab mailing list

Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>

http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180630/54697f18/attachment.html>

More information about the Openid-specs-ab mailing list