[Openid-specs-ab] FW: NIST 800-63-1 FINAL

Mike Jones Michael.Jones at microsoft.com
Wed Dec 14 05:29:55 UTC 2011


In that case, you should probably review the checkin that Edmund made to Basic and Standard fix this bug, since he copied a lot of the Security Considerations text from Basic to Standard.  If that was out of date, it will need to be corrected in both places.

If there are fewer security considerations that apply to Basic than Standard, they should remain distinct.  If they are EXACTLY the same (i.e. there are no security considerations in Standard that don't apply to Basic), then I think it's OK to reference the ones in Standard from Basic.  (Although I suspect there have to be more that are pertinent to Standard.)

For what it's worth, there's already one significant reference from Basic to Messages in which it says to refer to it if the implementer wants to process the ID Token directly.

                                                            -- Mike

From: Nat Sakimura [mailto:sakimura at gmail.com]
Sent: Tuesday, December 13, 2011 8:47 PM
To: Mike Jones
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] FW: NIST 800-63-1 FINAL

Actually, Basic's Security consideration is stale.
In standard and messages, we decided to include the description of the threat directly in the spec so we no longer need to reference SP800-63. It also removed the word "assertion" as well.

We should do the same with the Basic.

Now, here is a question.

We have been avoiding to reference standard or messages from Basic.
In general, it would be good, but I am not sure if we really need to carry it through for security consideration as well? Perhaps just referencing the security consideration of the Standard suffice?

=nat

On Wed, Dec 14, 2011 at 1:33 AM, Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>> wrote:
We reference 800-63 in our specs.  We probably should update the reference.  I'll file a bug.

Also, oddly, this is referenced in Basic but not in Messages or Standard.  In the bug, I'll also include instructions to copy this to the appropriate place, since everything in Basic should be in one or the other of these specs.

                                                            -- Mike



From: Stephen Skordinski [mailto:sskordinski at electrosoft-inc.com]<mailto:[mailto:sskordinski at electrosoft-inc.com]>
Sent: Tuesday, December 13, 2011 8:31 AM
To: AB; dsif at tscp.org<mailto:dsif at tscp.org>
Subject: NIST 800-63-1 FINAL

No, that's not a typo in the subject, after years of reviews and revisions, NIST 800-63-1 is now a final release.

Article: http://www.nist.gov/itl/csd/sp80063-121311.cfm
Document: http://www.nist.gov/customcf/get_pdf.cfm?pub_id=910006

-Steve

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab



--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20111214/7816742d/attachment-0001.html>


More information about the Openid-specs-ab mailing list