[Openid-specs-ab] Spec call notes 19-Jan-17

Mike Jones Michael.Jones at microsoft.com
Thu Jan 19 16:36:16 UTC 2017


Spec call notes 19-Jan-17

John Bradley
Mike Jones
Roland Hedberg
Phil Hunt
George Fletcher
Brian Campbell
Rich Levinson
Nat Sakimura

Agenda
              Certification Update
              Backchannel Logout
              Logout Implementer's Draft Votes
              AppAuth Fork
              Federation Spec
              Open Issues
              Next Call

Certification Update
              There are 4 RP certifications
              Nov Matake is also testing now
              Roland has deployed the new OP test tool on a virtual machine
              Ping is testing
              Edmund Jay has completed testing for NRI.  The signatures are still needed.

Backchannel Logout
              Mike published an updated Backchannel Logout spec
              It is in sync with the current SecEvents spec
              It now allows either "sub" or "sid" or both
              It also removes some cut-and-paste text about the backchannel_logout_uri
              We can say that unless a "sid" is present, that the intent is to logout all sessions at that RP
              We can say that logout may involve clearing or revoking additional state associated with the session, such as security tokens
                           Phil suggested that we do this in the security considerations
              George described different kinds of logouts that could be performed
              We should say that the messages originate from the OP and the OP may have done other cleanups as part of the logout
              RP-initiated logout is triggered by a different message, which applies to all logout messages

Logout Implementer's Draft Votes
              Mike proposes that we start a one-week review process for implementer's draft votes for the logout specs
              We should include Session Management in the bundle

AppAuth Fork
              Mike Schwartz described an AppAuth fork he had made
              John said that there are Google-specific things in the example app - not in the mainline code
                           Nat thinks that it's just Google-specific URLs - not Google-specific APIs
                           John said that there is also the use of a Google configuration shortcut in the example app
                           Others could submit pull requests to enable configuration with other OPs
                           Nat thinks we may need to dig a little deeper
              Mike Schwartz pointed out that the AppAuth code is not validating the ID Token signature
                           George thought that we should merge that in
                           John said that AppAuth is code flow only, so this isn't a security risk per-se
                           John said that we should do this in the client
                           John said that Adam Dawes was worried about lazy developers who might pass a validated ID Token to a server that then would not validate it
                           John thought that we should still check it in the client and also check it other places it is passed
                           Mike Jones said that this is about communication within the app and that we might want to document best practices for that pattern
                           If Mike Schwartz made a pull request for the signature validation across platforms, we would appreciate that
              John said that there is interest in an AppAuth version for the Windows Universal Platform

Federation Spec
              Roland reported that a number of parties are starting pilots using the current federation draft
              There's one in Europe, one in the US, and one in Australia/New Zealand
              The Kantara Otto working group is also using the draft
              The metadata statements have lifetimes on them - usually related to the signature lifetimes
              There isn't currently a way to revoke them
              There isn't a globally unique identifier for an entity, which some want for accounting purposes
                           John said that we have issuer for OPs - this is only a problem for RPs
              Having this would let you do revocation based on a blacklist of entity IDs
              Roland is also writing tests for the draft

Open Issues
              There are no new open issues

Next Call
              The next call is Monday, January 23rd at 3pm Pacific
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170119/50f14a88/attachment.html>


More information about the Openid-specs-ab mailing list