<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I'm very interested to find out what Prateek's group's analysis
shows.<br>
<br>
Revoking the client keys used to do token binding might be a great
way to nuke everything unilaterally, which would be in the control
of the user. If the server had a way to request that the user
approve revocation of the client keys used with sessions from that
server, that would be even better.<br>
<br>
Nick<br>
<br>
<div class="moz-cite-prefix">On 10/4/16 4:46 PM, Edmund Jay via
Openid-specs-ab wrote:<br>
</div>
<blockquote
cite="mid:433844003.5456079.1475621185658@mail.yahoo.com"
type="cite"><!--[if gte mso 9]><xml><o:OfficeDocumentSettings><o:AllowPNG/><o:PixelsPerInch>96</o:PixelsPerInch></o:OfficeDocumentSettings></xml><![endif]-->
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div style="color:#000; background-color:#fff; font-family:Courier
New, courier, monaco, monospace, sans-serif;font-size:13px">
<div dir="ltr" style="font-family: 'Helvetica Neue', 'Segoe UI',
Helvetica, Arial, 'Lucida Grande', sans-serif;"
id="yui_3_16_0_ym19_1_1475522116691_122132">Spec call notes
3-Oct-16<br id="yui_3_16_0_ym19_1_1475522116691_122133">
</div>
<div style="font-family: 'Helvetica Neue', 'Segoe UI',
Helvetica, Arial, 'Lucida Grande', sans-serif;"
id="yui_3_16_0_ym19_1_1475522116691_122134"><br
id="yui_3_16_0_ym19_1_1475522116691_122135">
</div>
<div style="font-family: 'Helvetica Neue', 'Segoe UI',
Helvetica, Arial, 'Lucida Grande', sans-serif;"
id="yui_3_16_0_ym19_1_1475522116691_122136">Nat Sakimura<br
id="yui_3_16_0_ym19_1_1475522116691_122137">
</div>
<div dir="ltr" style="font-family: 'Helvetica Neue', 'Segoe UI',
Helvetica, Arial, 'Lucida Grande', sans-serif;"
id="yui_3_16_0_ym19_1_1475522116691_122138">Edmund Jay</div>
<div dir="ltr" style="font-family: 'Helvetica Neue', 'Segoe UI',
Helvetica, Arial, 'Lucida Grande', sans-serif;"
id="yui_3_16_0_ym19_1_1475522116691_122138">John Bradley</div>
<div dir="ltr" style="font-family: 'Helvetica Neue', 'Segoe UI',
Helvetica, Arial, 'Lucida Grande', sans-serif;"
id="yui_3_16_0_ym19_1_1475522116691_122138">Phil Hunt</div>
<div dir="ltr" style="font-family: 'Helvetica Neue', 'Segoe UI',
Helvetica, Arial, 'Lucida Grande', sans-serif;"
id="yui_3_16_0_ym19_1_1475522116691_122139">Prateek Mishra</div>
<div dir="ltr" style="font-family: 'Helvetica Neue', 'Segoe UI',
Helvetica, Arial, 'Lucida Grande', sans-serif;"
id="yui_3_16_0_ym19_1_1475522116691_122140">Dale Olds</div>
<div dir="ltr" style="font-family: 'Helvetica Neue', 'Segoe UI',
Helvetica, Arial, 'Lucida Grande', sans-serif;"
id="yui_3_16_0_ym19_1_1475522116691_122141"><br
id="yui_3_16_0_ym19_1_1475522116691_122142">
</div>
<div dir="ltr" style="font-family: 'Helvetica Neue', 'Segoe UI',
Helvetica, Arial, 'Lucida Grande', sans-serif;"
id="yui_3_16_0_ym19_1_1475522116691_122143"><br
id="yui_3_16_0_ym19_1_1475522116691_122144">
</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1475522116691_122145">
<div style="font-family: HelveticaNeue, 'Helvetica Neue',
Helvetica, Arial, 'Lucida Grande', sans-serif;"
id="yui_3_16_0_ym19_1_1475522116691_122146">Agenda</div>
<div style="font-family: HelveticaNeue, 'Helvetica Neue',
Helvetica, Arial, 'Lucida Grande', sans-serif;"
id="yui_3_16_0_ym19_1_1475522116691_122146"> Meeting time
on WG page<br>
</div>
<div dir="ltr" style="font-family: HelveticaNeue, 'Helvetica
Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"
id="yui_3_16_0_ym19_1_1475522116691_122147"> Session and
Logout specs</div>
<div dir="ltr" style="font-family: HelveticaNeue, 'Helvetica
Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"
id="yui_3_16_0_ym19_1_1475522116691_122147"><br
id="yui_3_16_0_ym19_1_1475522116691_123977">
</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1475522116691_122147">
<div dir="ltr" id="yui_3_16_0_ym19_1_1475522116691_123450"><font
id="yui_3_16_0_ym19_1_1475522116691_123451"
face="HelveticaNeue, Helvetica Neue, Helvetica, Arial,
Lucida Grande, sans-serif"><br
id="yui_3_16_0_ym19_1_1475522116691_123452">
</font></div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1475522116691_123453"><span
style="font-family: HelveticaNeue, 'Helvetica Neue',
Helvetica, Arial, 'Lucida Grande', sans-serif;"><br>
</span></div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1475522116691_123453"><span
style="font-family: HelveticaNeue, 'Helvetica Neue',
Helvetica, Arial, 'Lucida Grande', sans-serif;"
id="yui_3_16_0_ym19_1_1475522116691_123992">Meeting time
on WG page</span><br>
</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1475522116691_123453">
<div style="font-family: HelveticaNeue, 'Helvetica Neue',
Helvetica, Arial, 'Lucida Grande', sans-serif;"
id="yui_3_16_0_ym19_1_1475522116691_123868">
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882"> There
is a mismatch of the Monday meeting time on the WG
page at <a moz-do-not-send="true"
href="http://openid.net/wg/connect/"
id="yui_3_16_0_ym19_1_1475522116691_124146">http://openid.net/wg/connect/</a> </div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882">between
the calendar and the text. It's 3PM PT on the text and
4PM on the calendar. This is due to time</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882">changes in
the Pacific time zone.</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882"> It's
decided that the Monday meeting time will be pegged to
8AM JST Japan time, which doesn't change.<br>
</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882"><br>
</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882"><br>
</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882"><br>
</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882">Meeting
Notes from 29-Sept-16</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882"> Nat
asked if the meeting notes from the September 29, 2016
meeting is OK since he had an unreliable</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882">connection
at the time.</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882">There were
no objections, so minutes will be posted to the list.</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882"><br>
</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882"><br>
</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882">Session
and Logout specs<br>
</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882"><br>
</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882">
Prateek and company are still researching "strong
logout" use cases. Where does strong logout makes</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882">sense and
what needs to be done. Will try to send a report to
the group by end of next week.</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882"><br>
</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882"> There
were no updates to the logout specs.<br>
</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882"><br>
</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882">
Questions were raised about whether the SAML single
logout mechanism is adequate. It depends</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882">on the
reliability of the transport. </div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882"> The
group discussed ways on how to make it more robust.
One suggestion was to have a way to </div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882">replay
transaction logs. But it might introduce privacy
issues.</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882"> The
group discussed the costs of checking the transactions
versus keeping state on the RP versus<br>
</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882">session
extension via OAuth refresh token.</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882"> There
are use cases such as financial institutions and fleet
(shared) devices which require really strong<br>
</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882">logout.
There are also uses cases where best effort logout is
good enough.</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882"> RPs
subscribing to logout events need to know it's getting
the events. It needs guaranteed delivery of<br>
</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882">event
notification.</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882">
Another way of checking session is to programmatically
do a logout and login right after. This method<br>
</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882">may
introduce a time dependency since logout event may
happen after the login. The RP needs a way</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882">to figure
out the current state.</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882">
<div dir="ltr" style="font-family: 'Courier New',
courier, monaco, monospace, sans-serif;"
id="yui_3_16_0_ym19_1_1475522116691_125345">
<div style="font-family: HelveticaNeue, 'Helvetica
Neue', Helvetica, Arial, 'Lucida Grande',
sans-serif;"
id="yui_3_16_0_ym19_1_1475522116691_125346">
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_125347">
Front channel logout is synchronous but not
dependable and browser could shut down any time.</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_125348">Backchannel
is asynchronous but will have time dependency.</div>
</div>
</div>
</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882"> The
logout event needs to be based on session instead of
the subject (user). A suggestion was to have the RP<br>
</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882">propose a
session identifier to the OP. This way, the RP only
needs to keep track of it's own session identifier</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882">which it
understands versus keeping track of another one from
the OP. The RP could also keep a list of</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882">canceled
sessions within a certain time period instead of all
the active sessions.</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882"><br>
</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882"> Then
the group discussed about token revocation. There is a
need to signal that long lived tokens (such as those
on<br>
</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882">mobile
devices) are no longer needed. There needs to be a way
to signal termination of tokens with finer</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882">granularity
(web app tokens vs mobile app tokens, etc...)</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882"><br>
</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882"> The
IdP is best able to correlate where the sessions
originate from.<br>
</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882"><br>
</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882"> It's
decided that it's better to develop all the separate
use cases and split the work into smaller chunks to
fit those<br>
</div>
<div dir="ltr"
id="yui_3_16_0_ym19_1_1475522116691_123882">cases.</div>
</div>
</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1475522116691_123476"> <br>
</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1475522116691_123476"><br>
</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1475522116691_123476"><br>
</div>
<div dir="ltr" style="font-family: HelveticaNeue, 'Helvetica
Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"
id="yui_3_16_0_ym19_1_1475522116691_123806"><br
id="yui_3_16_0_ym19_1_1475522116691_123807">
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</body>
</html>