[Openid-specs-ab] Spec call notes 19-Feb-15

Mike Jones Michael.Jones at microsoft.com
Thu Feb 19 16:16:25 UTC 2015


Spec call notes 19-Feb-15

Roland Hedberg
Justin Richer
Mike Jones
Brian Campbell
Edmund Jay
John Bradley
George Fletcher
Nat Sakimura

Agenda
               Certification
               Logout
               OpenID Workshop on April 6

Certification
               Roland managed to install all the software on the Symantec hosts
               We're missing the private keys for the certificates that they provided yesterday
               Don will be seeing them in 3 hours again and Mike and Roland will join them on a call

               Mike created initial certification pages at http://openid.net/certification/
               He asked people to review the content
               More specific submission instructions (including filenames, etc.) still need to be created

               Mike asked about the status of the dynamic registration tests
               Edmund wondered whether we need more tests for error cases, where the OP doesn't support things
               For instance, what if the client wants public subject values, but the OP can use pairwise values
                              What actually will be done will be returned in the registration response
               People can propose tests but we won't do everything in phase 1 - some will come later

               Don had asked when we are going to lock down the test content and instructions
                              We will do that a month before RSA

               Roland will put up the RP tests once rp.certification.openid.net is working

Logout
               Mike posted two drafts of an HTTP GET based logout spec
               The second adds an id_token query parameter that is optional
               Microsoft engineers pointed out that there are security reasons not to pass an ID Token as a query parameter

               John said that Google is interested in a back channel push logout to the relying party
                              Mike pointed out that there would need to be a session identifier for that to work
                              Google would put it in the ID Token
                              They want to make it more useful for SAAS providers
                              John and Adam are writing that up
                              The front channel doesn't help you if you've lost your device

               The Microsoft people pointed out they do cascading logouts with iframe gets
                              They do image GETs to end nodes but iframe GETs to STSs
               John said that image GETs tend to be more parallelizable and reliable

               George asked whether it was an option to use CORS support
                              That would let you use POSTs
                              The problem with that is the browser will execute those sequentially

               John suggested that using an actual session ID is safer

               Let's use "sid" for the session identifier claim
                              John said that Google had a different idea for what claim to use, but didn't remember what it was
                                             Virtual Device User Identifier
                                             Something that identifies an OP device/user agent pair
                              Brian talked about the distinction between information usable as a session versus session identifiers
                              John said that the session ID may be persistent
                              SAML used SessionIndex for the same concept

OpenID Workshop on April 6
               https://openid-mar-2015.eventbrite.com
               We have the room all day
               We're currently scheduled to start at 11:00
               George has some proposals from working groups but not all of them
               Mike was wondering whether we'll actually need to start earlier, such as 10:00
               George will create an initial agenda and send it out for review
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150219/12ce3658/attachment.html>


More information about the Openid-specs-ab mailing list