[Openid-specs-ab] Spec Call Notes 9-May-19
Mischa Salle
msalle at nikhef.nl
Thu May 30 09:37:42 UTC 2019
Hi Davide, others,
does the spec actually state that for a given combination OP, RP, user,
it always must create the same pairwise ID? The spec states
"the OpenID Provider MUST calculate a unique sub (subject) value for
each Sector Identifier"
but it seems to me that doesn't imply that it MUST be the same each
time? I.e. it doesn't seem to require a persistent pairwise sub for a
given user? Or do I misread the meaning of unique?
Cheers,
Mischa
On Thu, May 30, 2019 at 06:59:40AM +0200, Davide Vaghetti via Openid-specs-ab wrote:
> Hi,
>
> on the point below:
>
> > Transient Subject Identifier Type
> >
> > At IIW, Davide Vaghetti talked about the need for a
> > transient subject_type value, similar to that in SAML
> >
> > Mike and John encouraged him to write a specification for it
>
> ... this is what I've come up with:
>
> https://gist.github.com/daserzw/813023b4e1c04d09beb732ef00d7c9e9
>
> Cheers,
> Davide
>
> On 09/05/19 17:19, Mike Jones via Openid-specs-ab wrote:
> > Spec Call Notes 9-May-19
> >
> >
> >
> > Mike Jones
> >
> > Roland Hedberg
> >
> > Brian Campbell
> >
> > Torsten Lodderstedt
> >
> > Bjorn Hjelm
> >
> > George Fletcher
> >
> > Tom Jones
> >
> >
> >
> > OpenID Certification
> >
> > Roland created certification tests for Session,
> > Front-Channel, and Back-Channel, which are now being tested
> >
> > Filip Skokan provided a lot of early feedback on the OP tests
> >
> > We now need instructions for testing so others can do so
> >
> > It seems that there will need to be some
> > browser-specific instructions in some cases
> >
> > There are RP logout tests also but they haven't been
> > tested yet by others than Roland
> >
> >
> >
> > Authentication Failed Error Code Draft
> >
> > This is issue #1029
> >
> > The error code is now unmet_authentication_requirements
> >
> > Torsten submitted and Mike will publish the working group
> > draft
> >
> >
> >
> > OpenID Connect for Identity Proofing
> >
> > Another new draft was published at
> > https://openid.net/specs/openid-connect-4-identity-assurance.html
> >
> > Torsten led a discussion at IIW
> >
> > A lot of good feedback was received, including on
> > requirements for other jurisdictions
> >
> > It was pointed out that some proofs will require multiple
> > documents
> >
> > Torsten is working on updated syntax for that
> >
> > See issue #1082: Support for multiple proof
> > sources
> >
> > Reviews are solicited
> >
> > We agreed that Torsten should present this during EIC
> >
> >
> >
> > EIC Next Week
> >
> > Roland, Torsten, Bjorn, George, and Mike will be at EIC
> > next week
> >
> >
> >
> > Distinguishing first and third party cookies
> >
> > George let us know that there's a spec that adds the
> > same-site qualifier to cookies
> >
> >
> > https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
> >
> > Values are none, strict, and lax
> >
> > Also see
> > https://web.dev/samesite-cookies-explained/
> >
> > and
> > https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html
> >
> > Google is adding support for this to Chrome
> >
> > George asked whether this might affect iframe and
> > postMessage communication
> >
> > And whether this might affect Session Management
> >
> >
> >
> > Open Issues
> >
> >
> > https://bitbucket.org/openid/connect/issues?status=new&status=open
> >
> > #1083: policy_uri, tos_uri, logo_uri missing in IANA JWT
> > claims registry
> >
> > Brian asked whether Nat really meant the JWT
> > Claims registry or the AS Metadata registry
> >
> > #1081: Need for a persistence user identifier - a PUID
> >
> > We discussed that change of keys is a change
> > of identity for self-issued
> >
> > We discussed the ability to add a "did" claim
> > to the ID Token when it is useful
> >
> > We discussed that the "sub" value must not
> > change at key roll-over time
> >
> >
> >
> > Transient Subject Identifier Type
> >
> > At IIW, Davide Vaghetti talked about the need for a
> > transient subject_type value, similar to that in SAML
> >
> > Mike and John encouraged him to write a specification for it
> >
> >
> >
> > Next Call
> >
> > The May 13th call is cancelled due EIC
> >
> > The next call is Thursday, May 23 at 7am Pacific Time
> >
> >
> > _______________________________________________
> > Openid-specs-ab mailing list
> > Openid-specs-ab at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-ab
> >
>
> --
> Davide Vaghetti
> Consortium GARR
> Tel: +390502213158
> Mobile: +393357779542
> Skype: daserzw
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
--
Nikhef Room H155
Science Park 105 Tel. +31-20-592 5102
1098 XG Amsterdam Fax +31-20-592 5155
The Netherlands Email msalle at nikhef.nl
__ .. ... _._. .... ._ ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190530/ea59c854/attachment.asc>
More information about the Openid-specs-ab
mailing list