[Openid-specs-ab] FW: NIST 800-63-1 FINAL

Nat Sakimura sakimura at gmail.com
Wed Dec 14 09:37:09 UTC 2011


Oh no. This is a disaster.
I just noticed that Basic was out of sync but the commit now reverted all
the correct changes that we made. It is something that was dealt with #298.
Since the ticket was stating only about Messages and Standard, it did not
deal with Basic.

Folks, do not work on the current head.

=nat

On Wed, Dec 14, 2011 at 6:35 AM, Mike Jones <Michael.Jones at microsoft.com>wrote:

>  P.S.  Is there any other text that any of you are aware is out of date
> (or out of sync between Basic and Standard/Messages)?  If so, now’s the
> time to correct it…****
>
> ** **
>
> *From:* openid-specs-ab-bounces at lists.openid.net [mailto:
> openid-specs-ab-bounces at lists.openid.net] *On Behalf Of *Mike Jones
> *Sent:* Tuesday, December 13, 2011 9:30 PM
> *To:* Nat Sakimura
>
> *Cc:* openid-specs-ab at lists.openid.net
> *Subject:* Re: [Openid-specs-ab] FW: NIST 800-63-1 FINAL****
>
>  ** **
>
> In that case, you should probably review the checkin that Edmund made to
> Basic and Standard fix this bug, since he copied a lot of the Security
> Considerations text from Basic to Standard.  If that was out of date, it
> will need to be corrected in both places.****
>
> ** **
>
> If there are fewer security considerations that apply to Basic than
> Standard, they should remain distinct.  If they are EXACTLY the same (i.e.
> there are no security considerations in Standard that don’t apply to
> Basic), then I think it’s OK to reference the ones in Standard from Basic.
> (Although I suspect there have to be more that are pertinent to Standard.)
> ****
>
> ** **
>
> For what it’s worth, there’s already one significant reference from Basic
> to Messages in which it says to refer to it if the implementer wants to
> process the ID Token directly.****
>
> ** **
>
>                                                             -- Mike****
>
> ** **
>
> *From:* Nat Sakimura [mailto:sakimura at gmail.com]
> *Sent:* Tuesday, December 13, 2011 8:47 PM
> *To:* Mike Jones
> *Cc:* openid-specs-ab at lists.openid.net
> *Subject:* Re: [Openid-specs-ab] FW: NIST 800-63-1 FINAL****
>
> ** **
>
> Actually, Basic's Security consideration is stale. ****
>
> In standard and messages, we decided to include the description of the
> threat directly in the spec so we no longer need to reference SP800-63. It
> also removed the word "assertion" as well. ****
>
> ** **
>
> We should do the same with the Basic. ****
>
> ** **
>
> Now, here is a question. ****
>
> ** **
>
> We have been avoiding to reference standard or messages from Basic. ****
>
> In general, it would be good, but I am not sure if we really need to carry
> it through for security consideration as well? Perhaps just referencing the
> security consideration of the Standard suffice? ****
>
> ** **
>
> =nat****
>
> ** **
>
> On Wed, Dec 14, 2011 at 1:33 AM, Mike Jones <Michael.Jones at microsoft.com>
> wrote:****
>
> We reference 800-63 in our specs.  We probably should update the
> reference.  I’ll file a bug.****
>
>  ****
>
> Also, oddly, this is referenced in Basic but not in Messages or Standard.
> In the bug, I’ll also include instructions to copy this to the appropriate
> place, since everything in Basic should be in one or the other of these
> specs.****
>
>  ****
>
>                                                             -- Mike****
>
>  ****
>
>  ****
>
>  ****
>
> *From:* Stephen Skordinski [mailto:sskordinski at electrosoft-inc.com]
> *Sent:* Tuesday, December 13, 2011 8:31 AM
> *To:* AB; dsif at tscp.org
> *Subject:* NIST 800-63-1 FINAL****
>
>  ****
>
> No, that's not a typo in the subject, after years of reviews and
> revisions, NIST 800-63-1 is now a final release.****
>
>  ****
>
> Article: http://www.nist.gov/itl/csd/sp80063-121311.cfm****
>
> Document: http://www.nist.gov/customcf/get_pdf.cfm?pub_id=910006****
>
>  ****
>
> -Steve****
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab****
>
>
>
> ****
>
> ** **
>
> --
> Nat Sakimura (=nat)****
>
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en****
>
> ** **
>



-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20111214/73d6971a/attachment.html>


More information about the Openid-specs-ab mailing list