[Openid-specs-ab] Spec call notes 10-Feb-14

Mike Jones Michael.Jones at microsoft.com
Mon Feb 10 23:53:28 UTC 2014


Spec call notes 10-Feb-14

John Bradley
Edmund Jay
Mike Jones

Agenda:
               Connect Voting
               Open Issues
               Future Meetings
               Session Management
               Interactive Client Registration
               Call Schedule

Connect Voting:
               The voting tool will start the voting tomorrow
               It will close two weeks from then

Open Issues:
               #917 - space is deliminator while also a legal character in client_id and session state
                              This seems like a problem we'll need to address
                              Mike asked whether the postMessage character set is ASCII or Unicode
                                             If Unicode, we could use a non-ASCII separator
                                             Or we could use a different ASCII character, such as Delete (0x7f)
                              More investigation seems like it's needed
               #915 - Computation of OP session_state in the IdP requires origin URI
                              Todd Lainhart is to propose specific text
               #914 - Session 5 - Missing client_id parameter
                              This seems to need more discussion
               #880 - Host the endpoint https://self-issued.me/registration/1.0/
                              This is still on John's to-do list

Future Meetings:
               Before IETF 89 in London
                              We have requested a room from noon-5
                              OpenID would take the first half, OAuth the second
                              John will set up Eventbrite registration for this
               During RSA in San Francisco
                              Mike still needs to investigate this possibility - probably after Friday's IETF submission deadline

Session Management:
               Breno and Naveen had a conversation with John and Nat about session management
               They're concerned about RPs generating a lot of traffic at IdPs
               They believe that token caching is needed
               Mike questioned what level of the specs this should happen at, and what we need to do
               Breno asked whether having RPs have logout notification endpoints wouldn't work better in some cases
               John brought up that some RPs might not want to have JavaScript
                              Devices like Layer7 intermediary devices and other may have problems injecting JavaScript into the HTML
               Breno was also worried postMessage security vulnerabilities
                              This may mostly have to do with using postMessage for authentication
                              All JavaScript widgets share the same postMessage channel
                              For session management, we're only sending "yes" or "no" so we're not leaking much information
                              Versus sending the ID Token via postMessage, which would be a concern
               Mike plans to try to talk with Breno and Naveen in person this week about next steps

Interactive Client Registration
               Google also discussed wanting to do dynamic client registration for IMAP clients
               This requires user interaction, which dynamic registration doesn't currently support
               As a side effect, they would like to also issue tokens
               They liked the software statement idea
               They only want to issue Client IDs to be created for authenticated users
               John will think about whether and how they can accomplish this with our existing protocol flows
                              We think that this is possible

Call Schedule:
               There's been no discussion about call times on the list so far
               We will continue with the weekly Thursday calls for now
               People are encouraged to discuss what the right schedule is on the list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140210/f8bddef8/attachment.html>


More information about the Openid-specs-ab mailing list