[Openid-specs-ab] Spec call notes 8-Dec-16

Mike Jones Michael.Jones at microsoft.com
Thu Dec 8 21:17:24 UTC 2016

Spec call notes 8-Dec-16

Mike Jones
Nat Sakimura
John Bradley
Phil Hunt
George Fletcher
Brian Campbell
Roland Hedberg

              RP Certification Launch
              New Certification Work
              Implementer's Draft Votes
              OpenID Connect Federation spec
              Connect Errata
              Open Issues
              Next Call

RP Certification Launch
              Mike reported that we are now ready to accept RP certifications
                           We will be counting on Hans, Edmund, Roland, etc. for initial submissions
              John asked about testing AppAuth
                           Mike said that William and Adam have said that they want to test
                           We believe that it's highly in everyone's interest to do the testing and understand gaps
                           John will talk with William and Adam about making this happen
              John talked about the thousands of apps that are insecure that do non-Connect OAuth-y things
                           Some of these profiles use "azp"
                           We would need an actual spec for handing ID Tokens to worker sites in order to test it
                           This is possible new work in the Connect WG
                           It's on the boundary between OAuth and Connect
                           George: There are lots of things people do that are worth documenting
                           Some of this stuff takes ID Tokens and treats them as access tokens
                           Some of this work would be to profile down what we already have
                           The OAuth Native Apps BCP is relevant https://tools.ietf.org/html/draft-ietf-oauth-native-apps

New Certification Work
              We will be updating the software version
                           We will need volunteers to retest OPs
              There will be new certification profiles for the WG to review
                           For instance form post response mode, refresh token, logouts
                           Mike will send the new profile definitions for the working group to review

Implementer's Draft Votes
              We should have Implementer's Draft votes for the three logout specs soon
                           Mike needs to update the Back-Channel Logout draft to use the latest SecEvent syntax first
              FAPI is almost ready to submit for votes as well
                           Nat (as WG chair) will get Mike (as secretary) the drafts and announcement text

OpenID Connect Federation spec
              Roland reported that several people in the GEANT project are doing implementations in different languages
              The plan is to do interop and test the theoretical model in reality
              People wonder whether the key handling will be too complicated for administrators
              Mike asked whether it is still asymmetric with one OP and multiple RPs
                           Roland said that it's now symmetric
              People are happy that it supports multiple federations explicitly

Connect Errata
              Mike still has a few edits to do
              Eventually we will want to use the OAuth AS Metadata registry in our Discovery spec
                           Mike and Phil had a side conversation about moving the AS Metadata spec forward

Open Issues
              #1000: Logout Token has wrong mandatory field (sub vs. jti)
                           Previously discussed.  Now assigned to Mike.
              #1002: Clarify meaning of exp claim in ID Token
                           Previously discussed.  Now assigned to Mike.
              #1003: Document possible impacts of disabling third-party cookies on front-channel logout
                           The working group is seeking more information on things that work and don't
              #1004: Core 8.1 Pairwise identifier algorithm and native apps
                           The working group should look at this
              #1005: Clarify "left truncated SHA-2 hash" in section on symmetric encryption
                           Editorial.  Assigned to Mike.
              #1006: Clarify text in Third Party Initiated Login
                           Mike will propose language
                           John pointed out that we need warning language about 3rd party logout due to the mix-up attack

Next Call
              The call is scheduled for Monday at 3pm Pacific time but too many people will be on vacation
                           We will cancel that one
              We will try to have the call on Thursday the 22nd in two weeks
              We are also cancelling the call on December 26th
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20161208/0b9d759c/attachment-0001.html>

More information about the Openid-specs-ab mailing list