[Openid-specs-ab] Candidate OpenID Connect errata correction drafts published

Tom Jones thomasclinganjones at gmail.com
Tue Aug 15 04:54:29 UTC 2023 

I read thru the oidc errata - mostly good.
One concern is section 16;23 which describes the iOS ability to assign
handlers. The paragraph is correct, but there are severe security
considerations to this solution that are not included in the document
anywhere. Specifically it is too easy to get the user to reassign the
pointer to malware. It is easy to get users to do this in my experience, so
security considerations are warranted.  I did not yet file an issue to see
if anyone agreed with me, and then I would do it.

Let's not lead the user into danger. ..tom


On Mon, Aug 14, 2023 at 10:39 AM Andrii Deinega via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> https://mailarchive.ietf.org/arch/msg/oauth/9DdkE2P0RrUZMeZAbdf3NrMfy0w/
> is a link to a discussion on the "pragma" response header in OAuth 2 WG.
>
> Regards,
> Andrii
>
> On Mon, Aug 14, 2023 at 10:23 AM Andrii Deinega <andrii.deinega at gmail.com>
> wrote:
>
>> Hi Michael,
>>
>> Two very minor things.
>>
>> 1. The pragma HTTP response header can be removed from all examples from
>> all specs. Take a look at an old discussion in the OAuth 2 WG. OAuth 2.1
>> spec does not have any references to it either.
>>
>> 2. The no-store is the strongest cache directive and it already includes
>> no-cache. Hence, the use of "Cache-Control: no-store" in all examples
>> should be enough.
>>
>> Regards,
>> Andrii
>>
>>
>> On Sun, Aug 13, 2023 at 3:23 PM Michael Jones via Openid-specs-ab <
>> openid-specs-ab at lists.openid.net> wrote:
>>
>>> I’ve published drafts incorporating all the proposed errata corrections
>>> for the OpenID Connect family of specifications.  This is a major step
>>> along the way both towards publishing our second errata set for OpenID
>>> Connect and for submission to ISO as Publicly Available Specification (PAS)
>>> standards.
>>>
>>>
>>>
>>> The drafts incorporating the errata corrections are:
>>>
>>>    - https://openid.net/specs/openid-connect-core-1_0-32.html
>>>    - https://openid.net/specs/openid-connect-discovery-1_0-35.html
>>>    - https://openid.net/specs/openid-connect-registration-1_0-37.html
>>>    - https://openid.net/specs/openid-connect-backchannel-1_0-11.html
>>>
>>>
>>>
>>> The History sections of the specs describe each of the changes made.  If
>>> you want to see the precise changes incorporated, I suggest using your
>>> favorite HTML-capable diff tool (such as Microsoft Word) and comparing the
>>> baseline docs below to the ones above:
>>>
>>>
>>>
>>>    - https://openid.net/specs/openid-connect-core-1_0-errata1.html
>>>    - https://openid.net/specs/openid-connect-discovery-1_0-errata1.html
>>>    -
>>>    https://openid.net/specs/openid-connect-registration-1_0-errata1.html
>>>    - https://openid.net/specs/openid-connect-backchannel-1_0-final.html
>>>
>>>
>>>
>>> Diffs are also possible for the .txt and .xml versions of the specs;
>>> just substitute “html” in the URLs above for “txt” or “xml” and use your
>>> favorite diff tool.
>>>
>>>
>>>
>>> I plan to ask for working group review of these changes during
>>> tomorrow’s working group call.  Following the working group review, we’ll
>>> hold the foundation-wide 45-day proposed errata review and then the
>>> approval vote.
>>>
>>>
>>>
>>>                                                        -- Mike
>>>
>>>
>>>
>>> P.S.  Our two Implementer’s Guides were also updated in parallel to keep
>>> them current with the versions incorporating errata corrections.  The
>>> corresponding versions are:
>>>
>>>    - https://openid.net/specs/openid-connect-basic-1_0-44.html
>>>    - https://openid.net/specs/openid-connect-implicit-1_0-27.html
>>>
>>>
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>
>> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20230814/872343ce/attachment.html>

More information about the Openid-specs-ab mailing list