[Openid-specs-ab] Spec call notes 18-Aug-16

Mike Jones Michael.Jones at microsoft.com
Thu Aug 18 15:20:45 UTC 2016


Spec call notes 18-Aug-16

Mike Jones
John Bradley
Nat Sakimura
Brian Campbell
George Fletcher
Phil Hunt

Agenda
              Open Issues
              Errata Issues
              Upcoming Events
              Logout
              Events Spec
              Next Call

Open Issues
              There was one new issue:
              #998: subject_types_supported - should or must?
              We will change the SHOULD in Core to MUST - matching Discovery, which is authoritative here.

Errata Issues
              #979: Discovery / Security Considerations: CSRF attack on user input identifier
              We discussed the need for CSRF protection on the input form
                             Possible xsrf reference https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

              #994: Definition of country value within address claim
              We will change the example to spell out a country, rather than using "US", which could be an ISO code
              Mike will also talk to people in Microsoft interested in an ISO code claim (which is a different thing) and report back

              Nat filed issue ##999 asking for clarification of paragraph 3 of 3.1.2.6 on error responses and Redirection URI.
                             A non-English native speaker had misread it.

Upcoming Events
              Registration for IETF 97 in Seoul has opened
              We discussed whether to have an educational event for local developers
                             For this to succeed, we'd need local contacts
                             Nat suggested possibly ETRI people
                             We could do this on the Sunday

Logout
              Phil filed #1000: Logout Token has wrong mandatory field
              We discussed that the session ID will be the primary key for many RPs (not the JTI)
              For other RPs, the subject will be the primary key
              That's why both should normally be provided
              John: When you assert a subject and a session ID, the subject must be the one associated with the session ID
              John pointed out that we once had an "ephemeral" subject type, which we could add

Events Spec
              Phil is about to publish -03
              It now has language saying that it's one event, possibly with extensions

Next Call
              Our next call will be Monday, August 22nd at 4pm Pacific / Tuesday morning in Japan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160818/ec8bebd4/attachment.html>


More information about the Openid-specs-ab mailing list