[Openid-specs-ab] Spec Call Notes 14-Aug-23
Michael Jones
michael_b_jones at hotmail.com
Tue Aug 15 02:36:36 UTC 2023
Spec Call Notes 14-Aug-23
Mike Jones
Nat Sakimura
Tom Jones
Andrii Deiniga
Naveen CM
Edmund Jay
Errata Status
Mike published proposed errata drafts for review yesterday
Mike found a few additional errata suggestions in an old "To Do" file and filed corresponding issues today
https://bitbucket.org/openid/connect/issues?status=new&status=open&milestone=Errata
Open Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open
#1112: Register openid to the well-known URI scheme IANA registry
The designated expert says that we could do provisional registration now
A spec specifying URI syntax would be required for full registration
Mike will respond requesting provisional registration
#2025: William Denniss' suggestion about Cache-Control: no-cache, no-store
Andrii pointed out that this was previously discussed by the OAuth WG
https://mailarchive.ietf.org/arch/msg/oauth/9DdkE2P0RrUZMeZAbdf3NrMfy0w/
Andrii will add a comment to the issue
#2026: Dynamic Registration redirect_uri ambiguity
We should make the sentence unambiguous
We should say that custom URI schemes are acceptable
It doesn't seem worth mentioning IP literal forms in an errata update
#2027: Obsolete statement about WebFinger and acct: URIs
We should update the note to reference the acct: URI spec
#2028: Reference to RFC 8176 "Authentication Method Reference Values" needed
We should say that people should use values from the registry
#2029: Reference RFC 9101 "JWT-Secured Authorization Request (JAR)"
We should add an informative reference saying that this was based on the invention in Connect
#2030: ISO29115 date wrong
Editorial
#2013: Improve clarity of sentence about issuer value
We should use something like the wording from the OAuth RFC
#2024: oidcc-prompt-none-logged-in test should accept login_required response
Edmund wondered whether this has to do with multiple users being logged in
Mike responded in a comment
This would remove the tests that require working support for prompt=none from the certification requirements
#2022: [Federation] 5.1.4.1. Merging Operators - Correct normative language
Addressed by PR #607
Pull Requests:
https://bitbucket.org/openid/connect/pull-requests/
PR #607: [Federation] Cleans up the policy combination and operator merge language (iss #2022)
More reviews would be welcomed
PR #589: [Federation] Allow retrieving metadata from existing locations
Generating a lot of good discussion
Mike plans to discuss this in person at the OAuth Security Workshop next week
PR #448: [Federation] Added appendix on using Web PKI cryptographic trust
Closing in favor of PR #589
Issues with Status "Submitted"
https://bitbucket.org/openid/connect/issues?is_spam=%21spam&status=submitted
#448: Opened and discussed #2024: oidcc-prompt-none-logged-in test should accept login_required response
Tom asked about the new "Custom URI Schemes on iOS" text
https://openid.net/specs/openid-connect-core-1_0-32.html#iOSCustomSchemes
He thinks we should say more clearly that this is insecure
Next Call
The next call will be the SIOP Special Topic call on Thursday, August 17th at 7am Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20230815/e70100b1/attachment-0001.html>
More information about the Openid-specs-ab
mailing list