[Openid-specs-ab] Spec Call Notes 11-Apr-19

Mike Jones Michael.Jones at microsoft.com
Thu Apr 11 19:53:21 UTC 2019

Spec Call Notes 11-Apr-19

Mike Jones
Nat Sakimura
George Fletcher
Brian Campbell
John Bradley
Rich Levinson
Bjorn Hjelm
Torsten Lodderstedt
Tom Jones

              Nat asked for feedback on the OAuth JAR spec from John
              John is working on addressing feedback received during the OAuth Security Workshop
              It's already gone through the IESG telechat already so the authors are looking to minimize the changes made

authentication_failed Error Code Draft
              No comments were received during the adoption comment period, so the draft is adopted
              The working group requested to change the name to unmet_authentication_requirements on the 1-Apr-19 call
              Torsten will update the error code name and we'll publish a working group draft
              This addresses issue https://bitbucket.org/openid/connect/issues/1029/authentication_failed-error-response

OpenID Connect for Identity Proofing
              A working group draft was published at https://openid.net/specs/openid-connect-4-identity-assurance.html
              Torsten has received some private feedback
                           More working group feedback is solicited
              Bjorn and Daniel Fett will propose a session at IIW about the draft
                           Mike agreed to help facilitate the session

OpenID Certification
              Roland Hedberg continues refining the initial logout certification tests
                           Filip Skokan has been super-helpful in doing early tests of the tests
                           Hans has also helped get them ready for people to run
                           They are deployed at https://new-op.certification.openid.net:60000/ and https://new-rp.certification.openid.net:8080/

                           Expect an announcement requesting that people test the tests shortly
              Third Party-Initiated Login tests have been available to test since February
                           Thus far, we're not aware that they have been tested
                           We observed on the call that IdP-initiated login is much more common in the SAML world than the Connect world
                           Mike will send a reminder to the working group of the availability of the tests
              FAPI certification launched on April 1st
                           See the completed FAPI certifications at https://openid.net/certification/#FAPI_OPs
              The Connect certification pricing will go up on June 1st
                           See https://openid.net/2019/02/21/openid-certification-program-expansion-and-fee-update/
                           Those considering new certifications will get a price break by doing so in April or May

Open Issues
              #1067 Add Privacy Considerations
                           Torsten will do this
              #1068 Follow ISO Rules
                           This is a tracking issue.  We will review the document in this regard in the future.
              #1069 Identity Assurance Section 5.1 on reason for request
                           This had been heavily discussed in the comment and on list
                           Mike had made the point that it's always up to the two parties what information to exchange
                                         We shouldn't start mandating specific information now
                           Tom said that maybe we could reference legal agreements in machine-processable fashion
                                         George said that that would be a whole different standardization effort
                           George said that in some cases, the OP already knows that there is consent
                           Torsten said that the OP always needs to understand the legal basis for sharing information with the RP
                           Tom said that there are different legal jurisdictions
                           George said that legal information can be exchanged offline and need not be part of the protocol
                           George reminded us that we already have a prompt=consent parameter
                           We commented in the issue that a concrete proposal is needed

Next Call
              Monday, April 15 at 4pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190411/b9c3d8b9/attachment.html>

More information about the Openid-specs-ab mailing list