[Openid-specs-ab] Spec call notes 31-Aug-15

Mike Jones Michael.Jones at microsoft.com
Tue Sep 1 00:02:34 UTC 2015


Spec call notes 31-Aug-15

Mike Jones
John Bradley
Edmund Jay
Nat Sakimura

Agenda
                Errata and Issues
                Workshop before IIW
                Workshop after IETF 94 Yokohama
                Certification
                Next Call

Errata and Issues
                #968 - Inconsistent treatment of id_token_hint
                                Mike will apply the proposed resolution and then have people review the result
                #970 - Core - 2 - ID Token acr claim incorrectly specifies the level 0 of assurance
                                John still needs to take a stab at new wording saying what "0" meant historically
                #973 - Core 2 / 3.1.3.7 - azp claim underspecified and overreaching
                                We got data on what Google is actually doing with "azp"
                                Notably, it is not used in an OpenID Connect protocol flow
                                Brian's comment "Rather Connect should strive for something that's consistent and easily comprehensible" seems dead on
                                Mike will take a stab at slightly revised wording following Brian's suggestions
                                John suggests that RPs reject tokens with "azp" unless they understand what is going on
                #974 - Deprecated algorithm RSA1_5 used in spec examples and self-issued
                                We should clearly change the examples
                                Self-issued is a more intricate issue
                                Mike suggests that we're probably better off deprecating singing and encrypting with the same key
                                John says that encrypting to the client is an edge case
                                                You can only do this upon the second interaction with the provider!
                #975 - Do we add additional related specifications?
                                Mike will do
                #976 - Unregistered openid2_realm and openid2_id
                                Mike will prepare text that registers these values.
                #977 - How to handle an unsupported response_mode?
                                John pointed out that if you don't support the response_mode, you can't even return error and error_description
                                Therefore, we'll return 400.
                #978 - URL for errata
                                Mike documented our existing practice in the bug
                                We should probably make a blog post saying how other specs can reference current versions and specific versions, as makes sense in their use cases.
                                We could explicitly put language about URLs for the current and this versions in the spec, like the W3C does
                #979 - Discovery / Security Considerations: CSRF attack on user input identifier
                                We need to work out how to prevent MITM attacks against Dynamic Registration
                                The attack is getting someone to talk to a bad token endpoint
                                You don't know that you've registered at the right endpoint when you register
                                This issue clearly needs discussion on the mailing list.
                                One possible fix is to have registration return the token endpoint URL for a cross-check
                                Mike points out that in multi-tenant environment, the issuer will vary by tenant
                                We may want to look at how we're using the JWT token profile

                See the "Discovery Endpoint CORS support?" e-mail thread
                                Mike will file an issue about this
                                You need CORS support for JavaScript clients

                People should add any other errata issues to the tracker at
                                https://bitbucket.org/openid/connect/issues?status=new&status=open

Workshop before IIW
                People are registering
                http://www.eventbrite.com/e/openid-foundation-workshop-before-fall-2015-iiw-meeting-tickets-17960843366
                Nat needs to be removed from the agenda since he won't be able to attend
                Roland will be there and will do live RP test demonstrations
                Mike will ask Don if "HMG Cabinet Office Chairs" is correct for HEART

Workshop after IETF 94 Yokohama
                http://www.eventbrite.com/e/openid-summit-tokyo-2015-tickets-18111127871
                Registration is not yet open for that
                Registrations may actually happen on a different Japanese page
                Nat translated the Japanese event page to English at http://j.mp/cfp_oid15

Certification
                Roland fixed some RP certification bugs but his WebFinger responses use https://localhost:8080/
                Edmund has reported this to Roland
                Roland is officially back from vacation tomorrow (Tuesday)

Next Call
                On Thursday September 3rd at the European-Friendly time of 7am Pacific this week
                We are cancelling the Monday September 7th call, which falls on the US Labor Day holiday
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150901/5427a671/attachment.html>


More information about the Openid-specs-ab mailing list