[Openid-specs-ab] Spec call notes 19-Jan-17

Nat Sakimura sakimura at gmail.com
Fri Jan 20 02:50:50 UTC 2017


Hi Mike,

This comment:

>  Nat thinks that it's just Google-specific URLs - not Google-specific
APIs

Was not me. Probably John.

2017年1月20日(金) 1:36 Mike Jones via Openid-specs-ab <
openid-specs-ab at lists.openid.net>:

> Spec call notes 19-Jan-17
>
>
>
> John Bradley
>
> Mike Jones
>
> Roland Hedberg
>
> Phil Hunt
>
> George Fletcher
>
> Brian Campbell
>
> Rich Levinson
>
> Nat Sakimura
>
>
>
> Agenda
>
>               Certification Update
>
>               Backchannel Logout
>
>               Logout Implementer's Draft Votes
>
>               AppAuth Fork
>
>               Federation Spec
>
>               Open Issues
>
>               Next Call
>
>
>
> Certification Update
>
>               There are 4 RP certifications
>
>               Nov Matake is also testing now
>
>               Roland has deployed the new OP test tool on a virtual machine
>
>               Ping is testing
>
>               Edmund Jay has completed testing for NRI.  The signatures
> are still needed.
>
>
>
> Backchannel Logout
>
>               Mike published an updated Backchannel Logout spec
>
>               It is in sync with the current SecEvents spec
>
>               It now allows either "sub" or "sid" or both
>
>               It also removes some cut-and-paste text about the
> backchannel_logout_uri
>
>               We can say that unless a "sid" is present, that the intent
> is to logout all sessions at that RP
>
>               We can say that logout may involve clearing or revoking
> additional state associated with the session, such as security tokens
>
>                            Phil suggested that we do this in the security
> considerations
>
>               George described different kinds of logouts that could be
> performed
>
>               We should say that the messages originate from the OP and
> the OP may have done other cleanups as part of the logout
>
>               RP-initiated logout is triggered by a different message,
> which applies to all logout messages
>
>
>
> Logout Implementer's Draft Votes
>
>               Mike proposes that we start a one-week review process for
> implementer's draft votes for the logout specs
>
>               We should include Session Management in the bundle
>
>
>
> AppAuth Fork
>
>               Mike Schwartz described an AppAuth fork he had made
>
>               John said that there are Google-specific things in the
> example app - not in the mainline code
>
>                            Nat thinks that it's just Google-specific URLs
> - not Google-specific APIs
>
>                            John said that there is also the use of a
> Google configuration shortcut in the example app
>
>                            Others could submit pull requests to enable
> configuration with other OPs
>
>                            Nat thinks we may need to dig a little deeper
>
>               Mike Schwartz pointed out that the AppAuth code is not
> validating the ID Token signature
>
>                            George thought that we should merge that in
>
>                            John said that AppAuth is code flow only, so
> this isn't a security risk per-se
>
>                            John said that we should do this in the client
>
>                            John said that Adam Dawes was worried about
> lazy developers who might pass a validated ID Token to a server that then
> would not validate it
>
>                            John thought that we should still check it in
> the client and also check it other places it is passed
>
>                            Mike Jones said that this is about
> communication within the app and that we might want to document best
> practices for that pattern
>
>                            If Mike Schwartz made a pull request for the
> signature validation across platforms, we would appreciate that
>
>               John said that there is interest in an AppAuth version for
> the Windows Universal Platform
>
>
>
> Federation Spec
>
>               Roland reported that a number of parties are starting pilots
> using the current federation draft
>
>               There's one in Europe, one in the US, and one in
> Australia/New Zealand
>
>               The Kantara Otto working group is also using the draft
>
>               The metadata statements have lifetimes on them - usually
> related to the signature lifetimes
>
>               There isn't currently a way to revoke them
>
>               There isn't a globally unique identifier for an entity,
> which some want for accounting purposes
>
>                            John said that we have issuer for OPs - this is
> only a problem for RPs
>
>               Having this would let you do revocation based on a blacklist
> of entity IDs
>
>               Roland is also writing tests for the draft
>
>
>
> Open Issues
>
>               There are no new open issues
>
>
>
> Next Call
>
>               The next call is Monday, January 23rd at 3pm Pacific
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-- 

Nat Sakimura

Chairman of the Board, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170120/36271a55/attachment-0001.html>


More information about the Openid-specs-ab mailing list