[Openid-specs-ab] Spec Call Notes 9-Apr-20

Mike Jones Michael.Jones at microsoft.com
Thu Apr 9 15:07:00 UTC 2020 

Spec Call Notes 9-Apr-20

Mike Jones
Tim Cappalli
George Fletcher
Brian Campbell
John Bradley
Bjorn Hjelm
Filip Skokan

Migration from Mercurial to Git
              We discussed George's branch for openid-connect-prompt-create-1_0.xml
                           He created a pull request for it
              We migrated the EAP repository and learned a few things along the way
              The next step will be to migrate openid.bitbucket.org, which is rendered at openid.bitbucket.io

OAuth JAR
              Nat still needs to publish a new draft
              John is working with Nat on this

AppAuth
              George said that the Verizon Media person is still interested in being a maintainer for AppAuth Android
              He will join a future call
              John said that William Denniss is still maintaining AppAuth iOS

Open Issues
              https://bitbucket.org/openid/connect/issues?status=new&status=open
              #1161 Key rotation should require a delay between publishing a key and starting to use it?
                           Brian summarized the discussion from the mailing list
                           He described how an attacker could cause frequent JWK Set fetches with bad "kid" values
                           Brian said that there doesn't appear to have been an actual problem in practice
                           He wrote an issue comment
              #1160 Registration 2 - Should data: URLs be allowed as valid logo_uri values?
                           The spec says "The value of this field MUST point to a valid image file."
                           George said that using data URLs would be convenient
                           But it also makes it much harder to validate the image because it has no domain
                           George wrote an issue comment
              #1149 Front-channel logout that doesn't rely on cookies
                           Mike proposed that we either mark this issue as "on hold" or "won't fix" since there isn't a concrete proposal
                           Filip summarized the current situation
                           George said that trying to tweak what we have today is likely problematic
                           We could try to describe ways that front-channel logout breaks in the new browser world
                           Filip said that browser Content Security Policies (CSPs) could be applicable
                           George thinks we could do something else in a new spec once the browser world has shaken out
                           George described a situation in which front-channel logout didn't work in Brave but did in Firefox and Chrome
                           Mike said that he's not in favor of trying to pursue whack-a-mole "solutions"
                           Tim and George described some of the side effects of Apple Intelligent Threat Protection (ITP)
                           This will be placed "on hold" the next time we triage issues unless a reason to keep it active appears by then
              #1125 *_hash algorithm for EdDSA ID Tokens?
                           We last left this at saying that we should decide where to publish this information
              #1108 Purpose field for claims requests and revving of policy_url
                           We will discuss this when we next have Nat and Torsten on the call

Next Call
              The next working group call is Monday, April 13 at 4pm Pacific Time

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200409/b2de9548/attachment.html>

More information about the Openid-specs-ab mailing list