[Openid-specs-ab] Spec call notes 2-Dec-13

Nat Sakimura nat at sakimura.org
Tue Dec 3 00:25:08 UTC 2013


Re: Open Issues:

Actually, we went over the new issues #905 - #910 and all of them were
assigned. As the result, there are no new open issues as of the end of the
call.


2013/12/3 Mike Jones <Michael.Jones at microsoft.com>

>  Spec call notes 2-Dec-13
>
>
>
> John Bradley
>
> Edmund Jay
>
> Brian Campbell
>
> Nat Sakimura
>
> Mike Jones
>
>
>
> Agenda:
>
>                IdP-initiated Login
>
>                Open Issues
>
>                E-mails to the list
>
>                Hosting self-issued.me
>
>                Editing Status
>
>
>
> Editing Status:
>
>                Mike applied Justin's Core comments, which resulted in
> numerous small changes
>
>                There remain about 10 comments tracked in e-mails about 6
> as tracked issues
>
>                After applying those, Mike expects to publish new release
> candidates
>
>                These release candidates will not include the results from
> the reviews of Discovery & Registration
>
>                New release candidates will be published after these
> reviews are applied
>
>
>
> IdP-initiated Login:
>
>                Also see the thread "Login Initiation endpoint" and issue
> #904
>
>                John doesn't believe there's a threat with sending
> id_token_hint as a query parameter
>
>                We should say that the endpoint accepts both HTML form POST
> and GET
>
>                               This prevents things leaking through
> redirects
>
>                The id_token parameter could be added as an extension
>
>                Nat asked about preventing XSRF
>
>                               John replied that this can only happen if
> the third party can trick the OP into sending an ID Token
>
>                               Because only the OP can create a valid ID
> token
>
>                               Even if the attacker logs in with his own
> credentials to an IdP, he cannot trigger login to a third party
>
>                                              Because of the protections
> provided by the Implicit or Code flows
>
>                               Nat is concerned with attackers a user in
> with the wrong account
>
>                Nat wants to do this an extension so we have time for a
> thorough security analysis
>
>                               John is OK with this, provided that we allow
> HTML form post
>
>                               Nat is OK with this too
>
>
>
> Open Issues:
>
>                There are no new open issues
>
>                John plans to add one to track his message "Login
> Initiation endpoint"
>
>
>
> E-mails to the list:
>
>
>
>
>
> Hosting self-issued.me
>
>                John will try to work on this this week
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131203/73779709/attachment.html>


More information about the Openid-specs-ab mailing list