<div dir="ltr"><div>There are a couple items in issue tracking too - <a href="https://bitbucket.org/openid/connect/issue/968">#968</a> & <a href="https://bitbucket.org/openid/connect/issue/966">#966</a>. <br><br></div>We might consider using issue tracking to track all the pending/potential errata. <br><div><br><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 14, 2015 at 1:18 PM, William Denniss <span dir="ltr"><<a href="mailto:wdenniss@google.com" target="_blank">wdenniss@google.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">My suggestions:<div><div><br></div><div>I think it would help to clarify this statement in section 5.3: "The UserInfo Endpoint MUST accept Access Tokens as OAuth 2.0 Bearer Token Usage [RFC6750]." such that only the header method is required (mirroring RFC6750).</div><div><br></div><div>Also in 5.3, the UserInfo POST should be a MAY, not a MUST, as POST is only relevant for OPs that support form-body bearer token usage (which is itself optional as per <span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important;background-color:rgb(255,255,255)">RFC6750</span>).</div><div><br></div><div>In Section 3.1.2.1. for the "max_age" parameter, perhaps we can add some text like "The exact method for re-authenticating the End User is out of scope for this specification"</div><div><br></div></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 14, 2015 at 12:03 PM, Mike Jones <span dir="ltr"><<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">The list that I’d captured in my OpenID to-do list to date is as follows. If others know of errata actions we will need to take that I’ve not captured, please
add them to this thread.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p><u></u><span style="font-size:11.0pt;font-family:Symbol;color:#1f497d"><span>·<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Update examples using Pragma: no-cache to also include Cache-Control: no-cache, no-store and add language "Because the Authorization Response is intended
to be used only once, the Authorization Server MUST instruct the User Agent (and any intermediaries) not to store or reuse the content of the response." as was done in the Form Post Response Mode draft.<u></u><u></u></span></p>
<p><u></u><span style="font-size:11.0pt;font-family:Symbol;color:#1f497d"><span>·<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">James Manger's note about self-issued typos, use of http, etc.<u></u><u></u></span></p>
<p><u></u><span style="font-size:11.0pt;font-family:Symbol;color:#1f497d"><span>·<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">When errata time next comes around, we should think about whether to relax the requirement to include a nonce in the request for the code+token flow.<u></u><u></u></span></p>
<p><u></u><span style="font-size:11.0pt;font-family:Symbol;color:#1f497d"><span>·<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I believe that the working group is waiting to apply errata changes until the IETF specs in this cluster <a href="http://www.rfc-editor.org/cluster_info.php?cid=C241" target="_blank">http://www.rfc-editor.org/cluster_info.php?cid=C241</a>
and draft-ietf-appsawg-acct-uri are RFCs. Also, once Google has corrected the issue described at <a href="http://openid.net/specs/openid-connect-core-1_0.html#GoogleIss" target="_blank">http://openid.net/specs/openid-connect-core-1_0.html#GoogleIss</a> (which I expect has been done in preparation for your certification submissions), we can remove
this clause through the errata process.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> -- Mike<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> William Denniss [mailto:<a href="mailto:wdenniss@google.com" target="_blank">wdenniss@google.com</a>]
<br>
<b>Sent:</b> Tuesday, April 14, 2015 11:41 AM<br>
<b>To:</b> Mike Jones<br>
<b>Cc:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>; Eve Maler<br>
<b>Subject:</b> Re: [Openid-specs-ab] Minor test change to match the spec<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">Sounds good. Should we start listing the planned errata on a wiki or something, so we don't miss any when the time comes?<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Tue, Apr 14, 2015 at 11:35 AM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>> wrote:<u></u><u></u></p>
<div>
<div>
<pre><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#002060">I believe that the working group is waiting to apply errata changes until the IETF specs in this cluster <a href="http://www.rfc-editor.org/cluster_info.php?cid=C241" target="_blank">http://www.rfc-editor.org/cluster_info.php?cid=C241</a> and </span><span lang="EN">draft-ietf-appsawg-acct-uri </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#002060">are RFCs. Also, once Google has corrected the issue described at <a href="http://openid.net/specs/openid-connect-core-1_0.html#GoogleIss" target="_blank">http://openid.net/specs/openid-connect-core-1_0.html#GoogleIss</a> (which I expect has been done in preparation for your certification submissions), we can remove this clause through the errata process.</span><u></u><u></u></pre>
<pre><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#002060"> </span><u></u><u></u></pre>
<pre><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#002060"> -- Mike</span><u></u><u></u></pre>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#002060"> </span><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> William Denniss [mailto:<a href="mailto:wdenniss@google.com" target="_blank">wdenniss@google.com</a>]
<br>
<b>Sent:</b> Tuesday, April 14, 2015 9:42 AM<br>
<b>To:</b> Mike Jones<br>
<b>Cc:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>; Eve Maler<br>
<b>Subject:</b> Re: [Openid-specs-ab] Minor test change to match the spec</span><u></u><u></u></p>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<p class="MsoNormal">Acknowledged.<u></u><u></u></p>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Regarding the next errata, when should we start that process? It seems like a good opportunity now, with the certification process still fresh in everyone's minds.<u></u><u></u></p>
</div>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<p class="MsoNormal">On Mon, Apr 13, 2015 at 11:04 AM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>> wrote:<u></u><u></u></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">Garyl Erickson of ForgeRock identified a place where the tests didn’t match the spec and Roland just adjusted the tests as a result. I wanted to document this change and the reason
for it for the working group.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p>OP-nonce-NoReq-code is about supporting requests without a nonce. The nonce is only needed when the ID Token is returned as a fragment. The code+token flow doesn't return the nonce as a fragment. Therefore, it should be legal to make a request with no
nonce for code+token. So the test tool had included the test OP-nonce-NoReq-code for both the code and code+token response types.<u></u><u></u></p>
<p> <u></u><u></u></p>
<p>But the spec says that a nonce is required for Hybrid flows: <a href="http://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken" target="_blank">
http://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken</a> 3.3.2.11 ID Token "Use of the nonce Claim is REQUIRED for this flow." Therefore Roland just removed the OP-nonce-NoReq-code test from code+token, because it's testing for behavior that
violates the spec. In this case while common sense may indicate that you don't have to send a nonce for code+token, the spec says that you do.<u></u><u></u></p>
<p> <u></u><u></u></p>
<p>In a related test, the OP-nonce-NoReq-noncode is about testing that implementations reject requests without a nonce. Roland and I *<b>did not</b>* add this test for the code+token flow because doing so would break existing implementations that have already
passed certification with this functionality, which matches common sense, but not the spec. ;-) We *<b>did</b>* add this test for the code+id_token and code+id_token+token flows because the nonce really is required for security reasons in these cases. That
being said, per the rules of the test freeze, we will honor any Hybrid certifications that have already occurred without these tests having been presented by the test tool.<u></u><u></u></p>
<p> <u></u><u></u></p>
<p class="MsoNormal">When errata time next comes around, we should think about whether to relax the requirement to include a nonce in the request for the code+token flow. But for now, I think it’s
right for our certification tests to allow either the logical or the specified behavior in this one case.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"> Cheers,<u></u><u></u></p>
<p class="MsoNormal"> -- Mike<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><u></u><u></u></p>
</blockquote>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div>
</blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br></blockquote></div><br></div>