[Openid-specs-ab] Spec Call Notes 7-May-20

Mike Jones Michael.Jones at microsoft.com
Thu May 7 15:08:15 UTC 2020 

Spec Call Notes 7-May-20

Mike Jones
Brian Campbell
Roland Hedberg
Tim Cappalli
Bjorn Hjelm
George Fletcher
Bhupinder Singh
John Bradley

Federation Specification
              We released a new draft last week
              There was discussion on the list of using signed requests rather than private_key_jwt
                           Roland is working on that change
              We'd planned an interop event at TNC in June in Bristol
                           We're planning on doing that virtually instead
              Roland is deploying a federation that testers will be able to use
                           We know of three implementations at present
              Roland plans to do the signed request update before the interop

Identiverse
              We discussed the ways that Identiverse may be run
              Mike was hoping to get interactive feedback on the Federation work

OAuth JAR
              Brian did a PR to address the PAR issue
              There's another PR by Torsten using metadata to determine algorithms
                           https://bitbucket.org/Nat/oauth-jwsreq/pull-requests/4/
                           That needs to be merged
              Nat and John then need to publish an updated draft again

Safari Bounce Tracking Proposal
              George described Apple's bounce tracking proposal
              See https://github.com/privacycg/proposals/issues/6 and
              https://github.com/privacycg/meetings/blob/master/2020/telcons/04-23-bouncetracking-minutes.md
              This is in a Safari tech preview release
              Federation redirects look like this
              This is another possible set of browser changes that could affect identity flows
                           Like the SameSite cookie changes
              This may interact with the IsLoggedIn proposal https://github.com/WebKit/explainers/tree/master/IsLoggedIn
                           and the Google WebID proposal https://github.com/samuelgoto/WebID

Open Issues
              https://bitbucket.org/openid/connect/issues?status=new&status=open
              #1164-#1166 Federation issues now assigned to Roland
                           Roland said that there's some other issues that he's addressed that he should close
              #1160 Registration 2 - Should data: URLs be allowed as valid logo_uri values?
                           No new thoughts during the call
              #1161 Key rotation should require a delay between publishing a key and starting to use it?
                           There's been more discussion on the issue, including about what the certification code is doing
                           There's no evidence that these possible attacks have ever occurred in practice
                           Roland said that in SAML federations, new keys are typically added days before use
                           But in some circumstances, keys have to be changed faster than that
              #1086 Core 5.6.2 - chaining Distributed Claims
                           We should investigate this
                           The question is whether recursion is allowed
                           There doesn't appear to be a reason why this shouldn't work

Next Call
              The next working group call is Monday, May 11 at 4pm Pacific Time

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200507/d6c48bcd/attachment.html>

More information about the Openid-specs-ab mailing list