<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Spec call notes 18-Feb-16<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">John Bradley<o:p></o:p></p>
<p class="MsoNormal">Nat Sakimura<o:p></o:p></p>
<p class="MsoNormal">George Fletcher<o:p></o:p></p>
<p class="MsoNormal">Roland Hedberg<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Agenda<o:p></o:p></p>
<p class="MsoNormal"> Certification Updates<o:p></o:p></p>
<p class="MsoNormal"> Open Issues<o:p></o:p></p>
<p class="MsoNormal"> Upcoming Events<o:p></o:p></p>
<p class="MsoNormal"> Open Source Libraries<o:p></o:p></p>
<p class="MsoNormal"> Security Test Tools<o:p></o:p></p>
<p class="MsoNormal"> Next Call<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Certification Updates<o:p></o:p></p>
<p class="MsoNormal"> OP certification is rolling along<o:p></o:p></p>
<p class="MsoNormal"> Roland regularly gets e-mails from people asking about the certification tests<o:p></o:p></p>
<p class="MsoNormal"> Something between 100 and 150 implementations have tested<o:p></o:p></p>
<p class="MsoNormal"> 23 have certified to date<o:p></o:p></p>
<p class="MsoNormal"> RP certification is stalled at present<o:p></o:p></p>
<p class="MsoNormal"> So far, only Edmund Jay and Hans Zandbelt have done testing<o:p></o:p></p>
<p class="MsoNormal"> William Denniss said that he would test but apparently hasn't yet<o:p></o:p></p>
<p class="MsoNormal"> Roland is also working on enabling testing of deployed clients, rather than libraries<o:p></o:p></p>
<p class="MsoNormal"> You can still cause the OP to create errors and check whether the RP handles them correctly<o:p></o:p></p>
<p class="MsoNormal"> For instance, sending a bad signature and seeing if the RP rejects it<o:p></o:p></p>
<p class="MsoNormal"> This isn't deployed yet - it's still just on Roland's laptop<o:p></o:p></p>
<p class="MsoNormal"> Mike asked if we could get this deployed by IIW in late April and Roland said yes<o:p></o:p></p>
<p class="MsoNormal"> AOL has been moving lots of their SAAS providers to OpenID Connect<o:p></o:p></p>
<p class="MsoNormal"> George would like to be able to point them to the RP testing<o:p></o:p></p>
<p class="MsoNormal"> Mike said that there isn't an easy list of RP tests to just click through<o:p></o:p></p>
<p class="MsoNormal"> Roland said that there is a web page but you have to do a lot of clicking<o:p></o:p></p>
<p class="MsoNormal"> https://rp.certification.openid.net:8080/test_list<o:p></o:p></p>
<p class="MsoNormal"> Mike said that NEC sent a certification request that was nearly complete and he responded to it<o:p></o:p></p>
<p class="MsoNormal"> Edmund was having problems with key rotation in the RP tests but Roland hasn't figured out what's wrong<o:p></o:p></p>
<p class="MsoNormal"> Nat suggested that Roland and Edmund arrange a GoToMeeting session with screen sharing to debug it<o:p></o:p></p>
<p class="MsoNormal"> Roland will send a note to Edmund to schedule this<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Issues<o:p></o:p></p>
<p class="MsoNormal"> There are no new issues<o:p></o:p></p>
<p class="MsoNormal"> Mike and John still need to produce new text for the errata issues<o:p></o:p></p>
<p class="MsoNormal"> There are also updates to the logout specs that Mike needs to do<o:p></o:p></p>
<p class="MsoNormal"> Errata has higher priority over the logout changes, other than renaming the front channel logout spec<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Upcoming Events<o:p></o:p></p>
<p class="MsoNormal"> Mobile World Congress is next week<o:p></o:p></p>
<p class="MsoNormal"> John will be there<o:p></o:p></p>
<p class="MsoNormal"> MODRNA will have meetings there<o:p></o:p></p>
<p class="MsoNormal"> RSA will be the following week<o:p></o:p></p>
<p class="MsoNormal"> Nat and Mike will be there<o:p></o:p></p>
<p class="MsoNormal"> OpenID Workshop in Santiago on Thursday, March 31 before IETF 95 in Buenos Aires<o:p></o:p></p>
<p class="MsoNormal"> See http://www.alive.cl/clientes/OpenID/index.html<o:p></o:p></p>
<p class="MsoNormal"> John, Nat, Mike, William, and Hannes will be there<o:p></o:p></p>
<p class="MsoNormal"> The city of Buenos Aires has a Python authorization server - Django OpenID provider<o:p></o:p></p>
<p class="MsoNormal"> OpenID Workshop before IIW on Monday, April 25<o:p></o:p></p>
<p class="MsoNormal"> https://www.eventbrite.com/e/internet-identity-workshop-xxii-22-2016a-tickets-19430016703<o:p></o:p></p>
<p class="MsoNormal"> OpenID Workshop at European Identity and Cloud Conference in May<o:p></o:p></p>
<p class="MsoNormal"> See https://www.id-conf.com/events/eic2016<o:p></o:p></p>
<p class="MsoNormal"> There is an OAuth security workshop in Trier, Germany on July 14-15, the week before IETF 96 in Berlin<o:p></o:p></p>
<p class="MsoNormal"> See http://infsec.uni-trier.de/events/osw2016<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Source Libraries<o:p></o:p></p>
<p class="MsoNormal"> An OpenID GitHub repository was established<o:p></o:p></p>
<p class="MsoNormal"> The iOS and Android libraries will be in separate repositories<o:p></o:p></p>
<p class="MsoNormal"> The legal issues enabling contribution were resolved<o:p></o:p></p>
<p class="MsoNormal"> William Denniss is expected to post the libraries imminently<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Security Test Tools<o:p></o:p></p>
<p class="MsoNormal"> Christian Mainka and the rub.de folks are working on OAuth security testing tools<o:p></o:p></p>
<p class="MsoNormal"> Roland is tracking their work and might add some of the new tests as extra tests in our OP test suite<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next Call<o:p></o:p></p>
<p class="MsoNormal"> Our next call will be Monday, February 22nd at 3pm Pacific / Tuesday morning in Japan<o:p></o:p></p>
</div>
</body>
</html>