[Openid-specs-ab] Spec Call Notes 9-Apr-20
Michael.Jones at microsoft.com
Thu Apr 9 15:07:00 UTC 2020
Spec Call Notes 9-Apr-20
Migration from Mercurial to Git
We discussed George's branch for openid-connect-prompt-create-1_0.xml
He created a pull request for it
We migrated the EAP repository and learned a few things along the way
The next step will be to migrate openid.bitbucket.org, which is rendered at openid.bitbucket.io
Nat still needs to publish a new draft
John is working with Nat on this
George said that the Verizon Media person is still interested in being a maintainer for AppAuth Android
He will join a future call
John said that William Denniss is still maintaining AppAuth iOS
#1161 Key rotation should require a delay between publishing a key and starting to use it?
Brian summarized the discussion from the mailing list
He described how an attacker could cause frequent JWK Set fetches with bad "kid" values
Brian said that there doesn't appear to have been an actual problem in practice
He wrote an issue comment
#1160 Registration 2 - Should data: URLs be allowed as valid logo_uri values?
The spec says "The value of this field MUST point to a valid image file."
George said that using data URLs would be convenient
But it also makes it much harder to validate the image because it has no domain
George wrote an issue comment
#1149 Front-channel logout that doesn't rely on cookies
Mike proposed that we either mark this issue as "on hold" or "won't fix" since there isn't a concrete proposal
Filip summarized the current situation
George said that trying to tweak what we have today is likely problematic
We could try to describe ways that front-channel logout breaks in the new browser world
Filip said that browser Content Security Policies (CSPs) could be applicable
George thinks we could do something else in a new spec once the browser world has shaken out
George described a situation in which front-channel logout didn't work in Brave but did in Firefox and Chrome
Mike said that he's not in favor of trying to pursue whack-a-mole "solutions"
Tim and George described some of the side effects of Apple Intelligent Threat Protection (ITP)
This will be placed "on hold" the next time we triage issues unless a reason to keep it active appears by then
#1125 *_hash algorithm for EdDSA ID Tokens?
We last left this at saying that we should decide where to publish this information
#1108 Purpose field for claims requests and revving of policy_url
We will discuss this when we next have Nat and Torsten on the call
The next working group call is Monday, April 13 at 4pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab