[Openid-specs-ab] Spec call notes 18-Aug-16
Michael.Jones at microsoft.com
Thu Aug 18 15:20:45 UTC 2016
Spec call notes 18-Aug-16
There was one new issue:
#998: subject_types_supported - should or must?
We will change the SHOULD in Core to MUST - matching Discovery, which is authoritative here.
#979: Discovery / Security Considerations: CSRF attack on user input identifier
We discussed the need for CSRF protection on the input form
Possible xsrf reference https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
#994: Definition of country value within address claim
We will change the example to spell out a country, rather than using "US", which could be an ISO code
Mike will also talk to people in Microsoft interested in an ISO code claim (which is a different thing) and report back
Nat filed issue ##999 asking for clarification of paragraph 3 of 22.214.171.124 on error responses and Redirection URI.
A non-English native speaker had misread it.
Registration for IETF 97 in Seoul has opened
We discussed whether to have an educational event for local developers
For this to succeed, we'd need local contacts
Nat suggested possibly ETRI people
We could do this on the Sunday
Phil filed #1000: Logout Token has wrong mandatory field
We discussed that the session ID will be the primary key for many RPs (not the JTI)
For other RPs, the subject will be the primary key
That's why both should normally be provided
John: When you assert a subject and a session ID, the subject must be the one associated with the session ID
John pointed out that we once had an "ephemeral" subject type, which we could add
Phil is about to publish -03
It now has language saying that it's one event, possibly with extensions
Our next call will be Monday, August 22nd at 4pm Pacific / Tuesday morning in Japan
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab