[Openid-specs-ab] Spec Call Notes 12-Mar-20
Mike Jones
Michael.Jones at microsoft.com
Thu Mar 12 15:22:37 UTC 2020
Spec Call Notes 12-Mar-20
Mike Jones
Roland Hedberg
Brian Campbell
Nat Sakimura
George Fletcher
Joseph Heenan
Tom Jones
Bjorn Hjelm
Migration from Mercurial to Git
Edmund and Nat created a migration script
It doesn't migrate PRs but migrates everything else
Mike will review the three PRs and propose dispositions
Identities within Bitbucket are maintained
Most links in the issue tracker should work after migration
Nat proposes to create a trial migration to review this week
Mike said that we should target the real migration at the beginning of April
George has outstanding local spec changes
Mike and Nat reinforced that any outstanding local changes should be checked in soon
OAuth JAR
Nat asked the OAuth WG two weeks ago whether to restore the client_id functionality
People haven't responded to that specific thread
RE: [OAUTH-WG] JWT Secured Authorization Request (JAR) vs OIDC request object
Mike and Joseph replied just now supporting this change. Others can likewise do so.
Nat plans to make the change after a few replies come in
MTLS and Self-Signed Certificates
Higher-education uses a lot of self-signed certificates in SAML federations
They are also used to using MTLS
Torsten wants to use MTLS
Mike asked why not just use private_key_jwt?
Joseph said that in FAPI, people have a lot more deployment problems with MTLS than private_key_jwt
Python doesn't successfully process self-signed client certificates
Brian thinks that you can do this in Java by overriding a certificate verification method
The Federation spec uses private_key_jwt at the authorization endpoint
This requires that the audience be the authorization endpoint
Brian stated that MTLS isn't defined or possible at the authorization endpoint
Only at the token endpoint
Roland will take this offline with Brian and the authors
Joseph said that FAPI has a pushed request object
Brian said that OAuth PAR is intended to be better specified and interoperable
Federation Specification and Interops
The Federation draft is at second Implementer's Draft status
It's pretty stable, other than possibly changes responding to the MTLS feedback
An interop is planned at TNC in Brighton in June
It's looking like this may have to be virtual
Roland knows of three implementations: from Germany, Finland, and Sweden
Or they could relocate the interop to Stockholm, for instance
Mike said that implementers could be putting up their public test endpoints now
Roland has some clarifications to check into the spec
Certification and Logout
OP and RP logout certification are in pilot mode
We want people testing before we take the Logout specs to Final status
George will test Verizon Media's Front-Channel Logout implementation
Open Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open
#1150 Federation: 9.1.1 Endpoint should be "authorization"
Roland agrees with that correction
#1151 Federation: A.1: Examples of OP metadata in entity statement and merged stament missing required parameters
Roland has addressed this in his local copy
#1154 Federation: Explicit defintion of entity identifier
Roland has addressed this in his local copy
#1155 Federation: 4.1.3: Typo in superset_of JSON example
Assigned to Roland
#1156 Federation: 4.1.1. subset_of edge cases
Roland has addressed in his local copy
#1157 Federation: 4.3: Combining Policies - Reword "combine" as "merge" where appropriate?
Assigned to Roland
#1158 Federation 4 /7.2 - not clear handling when 'metadata' duplicated in the trust chain
Roland will clarify when metadata can appear and when metadata policy can appear
#1159 TLS requirements/recommendations for OP/RP
Mike will update the TLS recommendations text
Next Call
The next working group call is scheduled for Monday, March 16 at 4pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200312/514ae351/attachment.html>
More information about the Openid-specs-ab
mailing list