[Openid-specs-ab] Spec Call Notes 6-Jan-20
Mike Jones
Michael.Jones at microsoft.com
Tue Jan 7 01:29:40 UTC 2020
Spec Call Notes 6-Jan-20
John Bradley
Edmund Jay
Nat Sakimura
George Fletcher
Mike Jones
Federation
The vote for the second Implementer's Vote will pass tomorrow
Roland and Mike attended Internet2/REFEDS in December
There was a Federation hackathon
We also received feedback on when to hold the three interop events in 2020
eKYC-IDA WG
This is where work on OpenID Connect for Identity Assurance will continue
See https://openid.net/2019/12/28/openid-connect-for-identity-assurance-now-has-a-dedicated-home/
There's a call scheduled for January 8th
Nat will check if the call is in the OpenID calendar
Certification and Logout
The Logout OP tests up, with instructions at https://openid.net/certification/logout-op-testing/
Please test your code and the tests now!
The Logout RP tests are nearly done, with instructions shortly to follow
Having these tests provides important feedback needed to finish the logout specs
They have already pointed out places where clarifications are needed
Now is the time to run tests!
Mike is using the Mercurial shutdown as a forcing function to motivate finishing these specs
OAuth JAR Spec
https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-19
In AD Review status by Ben Kaduk
John reported that they've been going back and forth on a possible change
Some people are angry that the spec is changing the Connect request object semantics
The IESG (Ben Campbell) objected to merging parameters - suggesting that all parameters must be secured
Mike asked whether we could just add a note in the JAR spec on what the differences from Connect are and why they don't matter
John said that some servers count on parameters like scope being outside the request object
George expressed concerns about potential certification problems
Mike said that he doesn't believe there are any certification tests for merging parameters
We will discuss this in Tokyo
Takahiko Kawasaki was one of those objecting to the change in semantics
Nat suggested that we also get the opinions of Ping and ForgeRock
Open Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open
#1147: certification: RFC6749 MUST for error_description
We can flag this as a warning since it doesn't introduce a security or interop issue
#1146: certification: is returning an empty address object permitted
Mike will try to get this fixed in AAD
#1143: clarify text (value vs values) in 5.5.1.1
We agreed that using "value" should be permitted
#1141: Clarification on claims parameter in auth request validation
We agreed that adding a clarification about ignoring not-understood claims would be a reasonable thing to do
#1137: Is content-type application/x-www-form-urlencoded required when calling user info endpoint with empty body?
Content type shouldn't be required when there is no content.
RSA Board Meeting
Our board meeting time on Wednesday conflicts with a WebAuthn meeting
We could perhaps move the board meeting to Tuesday or Thursday
Next Call
The next working group call will be on Thursday, January 16th at 7:00am Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200107/bc099824/attachment.html>
More information about the Openid-specs-ab
mailing list