[Openid-specs-ab] Spec Call Notes 29-Oct-18
Mike Jones
Michael.Jones at microsoft.com
Tue Oct 30 00:40:59 UTC 2018
Spec Call Notes 29-Oct-18
Nat Sakimura
John Bradley
Bjorn Hjelm
Brian Campbell
Edmund Jay
Rich Levinson
Mike Jones
Agenda
Editor's report for Errata and Logout
Open Issues
Report from IIW
Report from IIW
Nat asked Mike to give a report from the Internet Identity Workshop (IIW)
Torsten presented verified claims JWT proposal
There was strong interest in standards in this area
Expect a proposal from Torsten soon
Mike believes that this work belongs in the Connect working group
Nat has heard interest in this capability from European banks
Kim Cameron is interested in being able to request aggregated claims from a particular issuer
The FastFed working group held a 3-hour Thursday afternoon
Darin McAdams updated FastFed draft to focus on Connect and not SAML
Attendees included Chuck Mortimore, Karl McGuiness, Dick Hardt, Darin, ADT, Googlers, and Mike Jones
Chuck advocated starting with "brown field" scenarios
Converting a small number of username/password logins to an enterprise-wide federation
These result from viral adoption of products like Slack or Teams
Others thought that "green field" - enabling federation from day 1 - is also important
Dick Hardt should be sending notes to the FastFed mailing list
Roland Hedberg described updates he and Andreas Solberg made to the OpenID Connect Federation draft
Now every entity has an entity descriptor - previously RPs didn't
Added the ability to use JWT client IDs without pre-registration
Continuing to use syntax defined by Discovery and Dynamic Client Registration
People are highly encouraged to review draft 5 at https://openid.net/specs/openid-connect-federation-1_0-05.html
Interest in RISC
Some large companies have production RISC endpoints now
These are based on the RISC Implementer's Drafts
Mike gave an Introduction to OpenID Connect "101" talk
It was well attended
Among others there were attendees from the banking and R&E sectors
Editor's report for Errata and Logout
Mike plans to focus on completing the Errata and logout spec edits after IETF
There are some open issues that need to be decided both for Errata and for some of the logout specs
Open Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open
#1052 make clear that nonce is always required for Hybrid flows
Mike and Brian spoke to this
A nonce request parameter may not be strictly necessary for the code+token response type
Both agreed that reasonable people could interpret this differently for code+token
Brian made the case that we shouldn't introduce breaking changes via errata
Mike pointed out that this change would probably require removing this particular test from the certification suite for code+token
Mike will write up this possibility in the issue for review
#1032 rp-initiated logout - proposal for client_id parameter
Mike asked what the security implications are of passing the client_id a non-tamper-resistant manner
We will discuss this on the next European-friendly call
Next Call
We will keep the Thursday call despite it being IETF week
It will be at 9pm in Bangkok
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20181030/97564706/attachment.html>
More information about the Openid-specs-ab
mailing list