[Openid-specs-ab] Spec Call Notes 25-Aug-22

Mike Jones Michael.Jones at microsoft.com
Thu Aug 25 15:14:48 UTC 2022 

Spec Call Notes 25-Aug-22

Mike Jones
Giuseppe De Marco
Torsten Lodderstedt
Brian Campbell
Petteri Stenius
Mark Haine
Brian Clickenbeard
Kristina Yasuda

Pull Requests
              https://bitbucket.org/openid/connect/pull-requests/
              #284: More on security considerations when using the resolve endpoint.
                           Roland approved Torsten's comments
                           Merging
              #288: chore: [Federation] terms and EC refactoring
                           Removed "aud" from fetch endpoint, plus wording cleanups
                           Will merge
              #289: Described differences between Automatic and Explicit Registration
                           Mike will apply Vladimir's wording change
                           Mike will ask Kristina to review
              #290: Specified how to handle failed Back-Channel Logout requests
                           4 Approvals - Merged
              #286: feat: [Federation] trust_chain parameter in Authorization Request
                           Giuseppe asked if we should add this to Explicit Registration
                           Torsten said that this should be made available wherever it can be used
                           Giuseppe will add that to the PR

Unmet Authentication Requirements Draft
              We will hold WGLC, then Final Review
              The step-up authentication work in OAuth references this draft

JARM
              Mike will start the Final review

Issues
              #1445: Add section on use of Resolvers
                           Closed by PR #284
              #1606: Relax behaviour around automatic client registration to permit other usecases
                           Mike will request reviews from John and Roland
                           Torsten said this would be like Federation for public clients
                                         He said that we have heretofore required authenticating the clients
                           Brian Clickenbeard said that, from a security perspective, the assertion should be signed in production
                                         He said that while developing, unsigned assertions would be OK
                           Kristina commented that signature alone does not equal authentication, which she thinks was I think Tobias' point

Next Call
              The next call is the SIOP Special Topic call immediately following this one
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220825/d91ce52e/attachment.html>

More information about the Openid-specs-ab mailing list