[Openid-specs-ab] FW: NIST 800-63-1 FINAL

Nat Sakimura sakimura at gmail.com
Wed Dec 14 10:57:04 UTC 2011


It is all clear now.

You can re-start from the current head version.

Cheers,

=nat

On Wed, Dec 14, 2011 at 10:37 AM, Nat Sakimura <sakimura at gmail.com> wrote:

> Oh no. This is a disaster.
> I just noticed that Basic was out of sync but the commit now reverted all
> the correct changes that we made. It is something that was dealt with #298.
> Since the ticket was stating only about Messages and Standard, it did not
> deal with Basic.
>
> Folks, do not work on the current head.
>
> =nat
>
>
> On Wed, Dec 14, 2011 at 6:35 AM, Mike Jones <Michael.Jones at microsoft.com>wrote:
>
>>  P.S.  Is there any other text that any of you are aware is out of date
>> (or out of sync between Basic and Standard/Messages)?  If so, now’s the
>> time to correct it…****
>>
>> ** **
>>
>> *From:* openid-specs-ab-bounces at lists.openid.net [mailto:
>> openid-specs-ab-bounces at lists.openid.net] *On Behalf Of *Mike Jones
>> *Sent:* Tuesday, December 13, 2011 9:30 PM
>> *To:* Nat Sakimura
>>
>> *Cc:* openid-specs-ab at lists.openid.net
>> *Subject:* Re: [Openid-specs-ab] FW: NIST 800-63-1 FINAL****
>>
>>  ** **
>>
>> In that case, you should probably review the checkin that Edmund made to
>> Basic and Standard fix this bug, since he copied a lot of the Security
>> Considerations text from Basic to Standard.  If that was out of date, it
>> will need to be corrected in both places.****
>>
>> ** **
>>
>> If there are fewer security considerations that apply to Basic than
>> Standard, they should remain distinct.  If they are EXACTLY the same (i.e.
>> there are no security considerations in Standard that don’t apply to
>> Basic), then I think it’s OK to reference the ones in Standard from Basic.
>> (Although I suspect there have to be more that are pertinent to Standard.)
>> ****
>>
>> ** **
>>
>> For what it’s worth, there’s already one significant reference from Basic
>> to Messages in which it says to refer to it if the implementer wants to
>> process the ID Token directly.****
>>
>> ** **
>>
>>                                                             -- Mike****
>>
>> ** **
>>
>> *From:* Nat Sakimura [mailto:sakimura at gmail.com]
>> *Sent:* Tuesday, December 13, 2011 8:47 PM
>> *To:* Mike Jones
>> *Cc:* openid-specs-ab at lists.openid.net
>> *Subject:* Re: [Openid-specs-ab] FW: NIST 800-63-1 FINAL****
>>
>> ** **
>>
>> Actually, Basic's Security consideration is stale. ****
>>
>> In standard and messages, we decided to include the description of the
>> threat directly in the spec so we no longer need to reference SP800-63. It
>> also removed the word "assertion" as well. ****
>>
>> ** **
>>
>> We should do the same with the Basic. ****
>>
>> ** **
>>
>> Now, here is a question. ****
>>
>> ** **
>>
>> We have been avoiding to reference standard or messages from Basic. ****
>>
>> In general, it would be good, but I am not sure if we really need to
>> carry it through for security consideration as well? Perhaps just
>> referencing the security consideration of the Standard suffice? ****
>>
>> ** **
>>
>> =nat****
>>
>> ** **
>>
>> On Wed, Dec 14, 2011 at 1:33 AM, Mike Jones <Michael.Jones at microsoft.com>
>> wrote:****
>>
>> We reference 800-63 in our specs.  We probably should update the
>> reference.  I’ll file a bug.****
>>
>>  ****
>>
>> Also, oddly, this is referenced in Basic but not in Messages or
>> Standard.  In the bug, I’ll also include instructions to copy this to the
>> appropriate place, since everything in Basic should be in one or the other
>> of these specs.****
>>
>>  ****
>>
>>                                                             -- Mike****
>>
>>  ****
>>
>>  ****
>>
>>  ****
>>
>> *From:* Stephen Skordinski [mailto:sskordinski at electrosoft-inc.com]
>> *Sent:* Tuesday, December 13, 2011 8:31 AM
>> *To:* AB; dsif at tscp.org
>> *Subject:* NIST 800-63-1 FINAL****
>>
>>  ****
>>
>> No, that's not a typo in the subject, after years of reviews and
>> revisions, NIST 800-63-1 is now a final release.****
>>
>>  ****
>>
>> Article: http://www.nist.gov/itl/csd/sp80063-121311.cfm****
>>
>> Document: http://www.nist.gov/customcf/get_pdf.cfm?pub_id=910006****
>>
>>  ****
>>
>> -Steve****
>>
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab****
>>
>>
>>
>> ****
>>
>> ** **
>>
>> --
>> Nat Sakimura (=nat)****
>>
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en****
>>
>> ** **
>>
>
>
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>
>


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20111214/e0ce47ea/attachment-0001.html>


More information about the Openid-specs-ab mailing list