<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Further, if a new id token is issued after iat of the logout SET, than that token represents a new session (assuming there is no other way to distinguish). </div><div id="AppleMailSignature"><br></div><div id="AppleMailSignature">The use case I am thinking of is where a user is logged out and immediately logs back in due to a password or account reset or other reason. </div><div id="AppleMailSignature"><br></div><div id="AppleMailSignature">I can see some RPs getting confused and getting into a race condition. <br><br>Phil</div><div><br>On Aug 24, 2016, at 3:37 PM, Phil Hunt (IDM) via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br><br></div><blockquote type="cite"><div><meta http-equiv="content-type" content="text/html; charset=utf-8"><div>The issue I raised was how long does a relying party need to keep track of the logout in case a token is re-presented that erroneously causes a new session when it should be rejected as logged out.</div><div id="AppleMailSignature"><br></div><div id="AppleMailSignature">MUST'nt the logout event be valid for as long as an outstanding token is valid? </div><div id="AppleMailSignature"><br>Phil</div><div><br>On Aug 24, 2016, at 3:18 PM, John Bradley via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br><br></div><blockquote type="cite"><div><meta http-equiv="Content-Type" content="text/html charset=utf-8">There are two discussions going on in the thread.<div class=""><br class=""></div><div class="">One is the meaning of exp in for the logout message. It would be if you receive this message after this time then don’t process it. </div><div class="">That is more important if you don’t include sid as you don’t want a delayed message blowing away a new session. </div><div class=""><br class=""></div><div class="">With sid you may wan to always process the logout as any new one would have a new sid. </div><div class=""><br class=""></div><div class="">The other one that crept in was what is the meaning of exp in the id_token.</div><div class=""><br class=""></div><div class="">That is relatively clear that it is the lifetime of the id_token being initially accepted by the client for establishing a session. </div><div class="">The question is if we need an errata someplace to clarify foe some people who are reading exp to be the lifetime of the users session before the client must should go back and validate that the user still has a session at the IdP. I think someone also mentioned an interpretation of it being the lifetime of the users session at the IdP.</div><div class=""><br class=""></div><div class="">That sort of clarification for the id_token could be a errata, that might be useful as different interpretations will lead to interoperability or security issues.</div><div class=""><br class=""></div><div class="">John B.</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Aug 24, 2016, at 6:29 PM, Mike Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" class="">openid-specs-ab@lists.openid.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="WordSection1" style="page: WordSection1; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(0, 32, 96);" class="">The text would go in the logout specs for two reasons:<o:p class=""></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(0, 32, 96);" class="">1. They pertain to the lifetime of the logout request<o:p class=""></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(0, 32, 96);" class="">2. We can’t make normative changes to Core<o:p class=""></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(0, 32, 96);" class=""><o:p class=""> </o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(0, 32, 96);" class=""> -- Mike<o:p class=""></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><a name="_MailEndCompose" class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(0, 32, 96);" class=""><o:p class=""> </o:p></span></a></div><span class=""></span><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><b class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif;" class="">From:</span></b><span style="font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span class="Apple-converted-space"> </span>Brian Campbell [<a href="mailto:bcampbell@pingidentity.com" class="">mailto:bcampbell@pingidentity.com</a>]<span class="Apple-converted-space"> </span><br class=""><b class="">Sent:</b><span class="Apple-converted-space"> </span>Wednesday, August 24, 2016 2:21 PM<br class=""><b class="">To:</b><span class="Apple-converted-space"> </span>Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" class="">Michael.Jones@microsoft.com</a>><br class=""><b class="">Cc:</b><span class="Apple-converted-space"> </span>Thomas Broyer <<a href="mailto:t.broyer@ltgt.net" class="">t.broyer@ltgt.net</a>>; Phil Hunt (IDM) <<a href="mailto:phil.hunt@oracle.com" class="">phil.hunt@oracle.com</a>>; <a href="mailto:openid-specs-ab@lists.openid.net" class="">openid-specs-ab@lists.openid.net</a><br class=""><b class="">Subject:</b><span class="Apple-converted-space"> </span>Re: [Openid-specs-ab] Session ID semantics aligned across OpenID Connect front-channel and back-channel logout specs<o:p class=""></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">Where would such text go? Core errata? Or?<o:p class=""></o:p></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">On Wed, Aug 24, 2016 at 11:53 AM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank" style="color: purple; text-decoration: underline;" class="">Michael.Jones@microsoft.com</a>> wrote:<o:p class=""></o:p></div><blockquote style="border-style: none none none solid; border-left-color: rgb(204, 204, 204); border-left-width: 1pt; padding: 0in 0in 0in 6pt; margin-left: 4.8pt; margin-right: 0in;" class=""><div class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">Suggested text capturing these points would be great.<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""> <o:p class=""></o:p></div><div style="border-style: solid none none; border-top-color: rgb(225, 225, 225); border-top-width: 1pt; padding: 3pt 0in 0in;" class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><b class="">From:<span class="Apple-converted-space"> </span></b><a href="mailto:bcampbell@pingidentity.com" target="_blank" style="color: purple; text-decoration: underline;" class="">Brian Campbell</a><br class=""><b class="">Sent:<span class="Apple-converted-space"> </span></b>Wednesday, August 24, 2016 12:39 PM<br class=""><b class="">To:<span class="Apple-converted-space"> </span></b><a href="mailto:t.broyer@ltgt.net" target="_blank" style="color: purple; text-decoration: underline;" class="">Thomas Broyer</a><br class=""><b class="">Cc:<span class="Apple-converted-space"> </span></b><a href="mailto:Michael.Jones@microsoft.com" target="_blank" style="color: purple; text-decoration: underline;" class="">Mike Jones</a>;<span class="Apple-converted-space"> </span><a href="mailto:phil.hunt@oracle.com" target="_blank" style="color: purple; text-decoration: underline;" class="">Phil Hunt (IDM)</a>;<span class="Apple-converted-space"> </span><a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline;" class="">openid-specs-ab@lists.openid.net</a><o:p class=""></o:p></div><div class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><br class=""><b class="">Subject:<span class="Apple-converted-space"> </span></b>Re: [Openid-specs-ab] Session ID semantics aligned across OpenID Connect front-channel and back-channel logout specs<o:p class=""></o:p></div></div></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""> <o:p class=""></o:p></div></div><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New Roman', serif;">I would say yes, Thomas, but I think the answer will depend on who you ask and when.<o:p class=""></o:p></p></div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New Roman', serif;">Typically, in my own experience anyway, the SSO token (like the id token) has a relatively short expiration time and is consumed and validated by the client/RP once and then that client sets up its own session or security context with its own lifetime.<span class="Apple-converted-space"> </span><o:p class=""></o:p></p></div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New Roman', serif;">But I think some have used or want to use the id token directly as the session token at the client/RP. And doing so might then rely on the exp in the id token as the session expiration, which presumably would want a larger window.<span class="Apple-converted-space"> </span><o:p class=""></o:p></p></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">I don't think the spec(s) explicitly require one approach or the other. And, as such, I don't think any of the logout stuff can assume one or the other.<o:p class=""></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div><div class=""><div class=""><div class=""><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New Roman', serif;"><o:p class=""> </o:p></p><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">On Wed, Aug 24, 2016 at 10:19 AM, Thomas Broyer via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline;" class="">openid-specs-ab@lists.openid.net</a>> wrote:<o:p class=""></o:p></div><blockquote style="border-style: none none none solid; border-left-color: rgb(204, 204, 204); border-left-width: 1pt; padding: 0in 0in 0in 6pt; margin-left: 4.8pt; margin-right: 0in;" class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">Aren't ID Tokens supposed to have a short expiration time? (I asked twice already over the last 2 years and never got an answer, maybe this time?)<o:p class=""></o:p></div></div><div class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div><div class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">On Wed, Aug 24, 2016 at 6:05 PM Mike Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline;" class="">openid-specs-ab@lists.openid.net</a>> wrote:<o:p class=""></o:p></div></div><blockquote style="border-style: none none none solid; border-left-color: rgb(204, 204, 204); border-left-width: 1pt; padding: 0in 0in 0in 6pt; margin-left: 4.8pt; margin-right: 0in;" class=""><div class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">I found your original logic to be sound. The ID Token could be reused with id_token_hint until it expires. Communicating the matching expiration time in the logout made sense to me – particularly in the no Session ID case, as John points out.<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""> <o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">– Mike<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""> <o:p class=""></o:p></div><div style="border-style: solid none none; border-top-color: windowtext; border-top-width: 1pt; padding: 3pt 0in 0in;" class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><b class="">From:<span class="Apple-converted-space"> </span></b><a href="mailto:phil.hunt@oracle.com" target="_blank" style="color: purple; text-decoration: underline;" class="">Phil Hunt (IDM)</a><br class=""><b class="">Sent:<span class="Apple-converted-space"> </span></b>Wednesday, August 24, 2016 11:45 AM<br class=""><b class="">To:<span class="Apple-converted-space"> </span></b><a href="mailto:phil.hunt@oracle.com" target="_blank" style="color: purple; text-decoration: underline;" class="">Phil Hunt (IDM)</a><br class=""><b class="">Cc:<span class="Apple-converted-space"> </span></b><a href="mailto:Michael.Jones@microsoft.com" target="_blank" style="color: purple; text-decoration: underline;" class="">Mike Jones</a>;<span class="Apple-converted-space"> </span><a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline;" class="">openid-specs-ab@lists.openid.net</a><o:p class=""></o:p></div></div></div></div><div class=""><div class=""><div style="border-style: solid none none; border-top-color: windowtext; border-top-width: 1pt; padding: 3pt 0in 0in;" class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><br class=""><b class="">Subject:<span class="Apple-converted-space"> </span></b>Re: [Openid-specs-ab] Session ID semantics aligned across OpenID Connect front-channel and back-channel logout specs<o:p class=""></o:p></div></div></div></div><div class=""><div class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">Scratch that. Was thinking oauth resource and tokens. <o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">Not sure the same would exist here. <o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><br class="">Phil<o:p class=""></o:p></div></div><div class=""><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New Roman', serif;"><br class="">On Aug 24, 2016, at 8:17 AM, Phil Hunt (IDM) via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline;" class="">openid-specs-ab@lists.openid.net</a>> wrote:<o:p class=""></o:p></p></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt;" class=""><div class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">It may be useful to include the original session expiry time or make the exp match the original id token. If the service isn't tracking state of sessions it needs to know for how much longer an id token might show up in order to keep its revocation list managed over time. <br class=""><br class="">Phil<o:p class=""></o:p></div></div><div class=""><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New Roman', serif;"><br class="">On Aug 24, 2016, at 5:58 AM, Mike Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline;" class="">openid-specs-ab@lists.openid.net</a>> wrote:<o:p class=""></o:p></p></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt;" class=""><div class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(0, 32, 96);" class="">Good catch, Filip. I’d replaced “exp” (expiration time) with “iat” (issued at) to align it with the ID Events spec<span class="Apple-converted-space"> </span><a href="https://tools.ietf.org/html/draft-hunt-idevent-token-03" target="_blank" style="color: purple; text-decoration: underline;" class="">https://tools.ietf.org/html/draft-hunt-idevent-token-03</a>. But I’d also wanted to ask the working group – do we want to retain an explicit expiration time in the logout token?</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(0, 32, 96);" class=""> </span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(0, 32, 96);" class=""> -- Mike</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><a name="m_-8902454702970477306_m_-34093491395958" class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(0, 32, 96);" class=""> </span></a><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><b class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif;" class="">From:</span></b><span style="font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span class="Apple-converted-space"> </span>Filip [<a href="mailto:panva.ip@gmail.com" target="_blank" style="color: purple; text-decoration: underline;" class="">mailto:panva.ip@gmail.com</a>]<span class="Apple-converted-space"> </span><br class=""><b class="">Sent:</b><span class="Apple-converted-space"> </span>Wednesday, August 24, 2016 1:24 AM<br class=""><b class="">To:</b><span class="Apple-converted-space"> </span>Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank" style="color: purple; text-decoration: underline;" class="">Michael.Jones@microsoft.com</a>><br class=""><b class="">Cc:</b><span class="Apple-converted-space"> </span><a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline;" class="">openid-specs-ab@lists.openid.net</a><br class=""><b class="">Subject:</b><span class="Apple-converted-space"> </span>Re: [Openid-specs-ab] Session ID semantics aligned across OpenID Connect front-channel and back-channel logout specs</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""> <o:p class=""></o:p></div><div class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">Hello,<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""> <o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">reviewing the changes i noticed in Section 2.4 of Backchannel draft 03 the 'exp' claim got removed from Logout Token claims, however section 4 still recomends OPs to use short expiration times for their Logout Tokens. It is not clear enough if 'exp' should be present or not.<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><br clear="all" class=""><o:p class=""></o:p></div><div class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">Best Regards,<br class=""><b class="">Filip Skokan</b><o:p class=""></o:p></div></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""> <o:p class=""></o:p></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">On Wed, Aug 24, 2016 at 3:44 AM, Mike Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline;" class="">openid-specs-ab@lists.openid.net</a>> wrote:<o:p class=""></o:p></div><blockquote style="border-style: none none none solid; border-left-color: windowtext; border-left-width: 1pt; padding: 0in 0in 0in 6pt; margin: 5pt 0in 5pt 4.8pt;" class=""><div class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">Session ID definitions in the OpenID Connect front-channel and back-channel logout specs have been aligned so that the Session ID definition is now the same in both specs. The Session ID is scoped to the Issuer in both specs now (whereas it was previously global in scope in the front-channel spec). This means that the issuer value now needs to be supplied whenever the Session ID is. This doesn’t change the simple (no-parameter) front-channel logout messages. The back-channel specification is now also aligned with the ID Event Token specification.<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""> <o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">The new specification versions are:<o:p class=""></o:p></div><p style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="font-family: Symbol;" class="">·</span><span style="font-size: 7pt;" class=""> <span class="Apple-converted-space"> </span></span><a href="http://openid.net/specs/openid-connect-frontchannel-1_0-01.html" target="_blank" style="color: purple; text-decoration: underline;" class="">http://openid.net/specs/openid-connect-frontchannel-1_0-01.html</a><o:p class=""></o:p></p><p style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="font-family: Symbol;" class="">·</span><span style="font-size: 7pt;" class=""> <span class="Apple-converted-space"> </span></span><a href="http://openid.net/specs/openid-connect-backchannel-1_0-03.html" target="_blank" style="color: purple; text-decoration: underline;" class="">http://openid.net/specs/openid-connect-backchannel-1_0-03.html</a><o:p class=""></o:p></p><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="color: rgb(136, 136, 136);" class=""> </span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="color: rgb(136, 136, 136);" class=""> -- Mike</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""> <o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">P.S. This notice was also posted at<span class="Apple-converted-space"> </span><a href="http://self-issued.info/?p=1599" target="_blank" style="color: purple; text-decoration: underline;" class="">http://self-issued.info/?p=1599</a><span class="Apple-converted-space"> </span>and as<span class="Apple-converted-space"> </span><a href="https://twitter.com/selfissued" target="_blank" style="color: purple; text-decoration: underline;" class="">@selfissued</a>.<o:p class=""></o:p></div></div></div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New Roman', serif;"><br class="">_______________________________________________<br class="">Openid-specs-ab mailing list<br class=""><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline;" class="">Openid-specs-ab@lists.openid.net</a><br class=""><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" style="color: purple; text-decoration: underline;" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p class=""></o:p></p></blockquote></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""> <o:p class=""></o:p></div></div></div></div></div></blockquote><blockquote style="margin-top: 5pt; margin-bottom: 5pt;" class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">_______________________________________________<br class="">Openid-specs-ab mailing list<br class=""><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline;" class="">Openid-specs-ab@lists.openid.net</a><br class=""><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" style="color: purple; text-decoration: underline;" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p class=""></o:p></div></div></blockquote></div></blockquote><blockquote style="margin-top: 5pt; margin-bottom: 5pt;" class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">_______________________________________________<br class="">Openid-specs-ab mailing list<br class=""><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline;" class="">Openid-specs-ab@lists.openid.net</a><br class=""><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" style="color: purple; text-decoration: underline;" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p class=""></o:p></div></div></blockquote></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">_______________________________________________<br class="">Openid-specs-ab mailing list<br class=""><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline;" class="">Openid-specs-ab@lists.openid.net</a><br class=""><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" style="color: purple; text-decoration: underline;" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p class=""></o:p></div></blockquote></div></div></div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New Roman', serif;"><br class="">_______________________________________________<br class="">Openid-specs-ab mailing list<br class=""><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline;" class="">Openid-specs-ab@lists.openid.net</a><br class=""><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" style="color: purple; text-decoration: underline;" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p class=""></o:p></p></blockquote></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div></div></div></div></div></div></div></div></div></blockquote></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div></div></div><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">_______________________________________________</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Openid-specs-ab mailing list</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class=""><a href="mailto:Openid-specs-ab@lists.openid.net" class="">Openid-specs-ab@lists.openid.net</a></span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class=""><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span></div></blockquote></div><br class=""></div></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Openid-specs-ab mailing list</span><br><span><a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a></span><br><span><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><br></div></blockquote></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Openid-specs-ab mailing list</span><br><span><a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a></span><br><span><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><br></div></blockquote></body></html>