<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Spec call notes 8-Dec-16<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Nat Sakimura<o:p></o:p></p>
<p class="MsoNormal">John Bradley<o:p></o:p></p>
<p class="MsoNormal">Phil Hunt<o:p></o:p></p>
<p class="MsoNormal">George Fletcher<o:p></o:p></p>
<p class="MsoNormal">Brian Campbell<o:p></o:p></p>
<p class="MsoNormal">Roland Hedberg<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Agenda<o:p></o:p></p>
<p class="MsoNormal"> RP Certification Launch<o:p></o:p></p>
<p class="MsoNormal"> New Certification Work<o:p></o:p></p>
<p class="MsoNormal"> Implementer's Draft Votes<o:p></o:p></p>
<p class="MsoNormal"> OpenID Connect Federation spec<o:p></o:p></p>
<p class="MsoNormal"> Connect Errata<o:p></o:p></p>
<p class="MsoNormal"> Open Issues<o:p></o:p></p>
<p class="MsoNormal"> Next Call<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">RP Certification Launch<o:p></o:p></p>
<p class="MsoNormal"> Mike reported that we are now ready to accept RP certifications<o:p></o:p></p>
<p class="MsoNormal"> We will be counting on Hans, Edmund, Roland, etc. for initial submissions<o:p></o:p></p>
<p class="MsoNormal"> John asked about testing AppAuth<o:p></o:p></p>
<p class="MsoNormal"> Mike said that William and Adam have said that they want to test<o:p></o:p></p>
<p class="MsoNormal"> We believe that it's highly in everyone's interest to do the testing and understand gaps<o:p></o:p></p>
<p class="MsoNormal"> John will talk with William and Adam about making this happen<o:p></o:p></p>
<p class="MsoNormal"> John talked about the thousands of apps that are insecure that do non-Connect OAuth-y things<o:p></o:p></p>
<p class="MsoNormal"> Some of these profiles use "azp"<o:p></o:p></p>
<p class="MsoNormal"> We would need an actual spec for handing ID Tokens to worker sites in order to test it<o:p></o:p></p>
<p class="MsoNormal"> This is possible new work in the Connect WG<o:p></o:p></p>
<p class="MsoNormal"> It's on the boundary between OAuth and Connect<o:p></o:p></p>
<p class="MsoNormal"> George: There are lots of things people do that are worth documenting<o:p></o:p></p>
<p class="MsoNormal"> Some of this stuff takes ID Tokens and treats them as access tokens<o:p></o:p></p>
<p class="MsoNormal"> Some of this work would be to profile down what we already have<o:p></o:p></p>
<p class="MsoNormal"> The OAuth Native Apps BCP is relevant https://tools.ietf.org/html/draft-ietf-oauth-native-apps<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">New Certification Work<o:p></o:p></p>
<p class="MsoNormal"> We will be updating the software version<o:p></o:p></p>
<p class="MsoNormal"> We will need volunteers to retest OPs<o:p></o:p></p>
<p class="MsoNormal"> There will be new certification profiles for the WG to review<o:p></o:p></p>
<p class="MsoNormal"> For instance form post response mode, refresh token, logouts<o:p></o:p></p>
<p class="MsoNormal"> Mike will send the new profile definitions for the working group to review<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Implementer's Draft Votes<o:p></o:p></p>
<p class="MsoNormal"> We should have Implementer's Draft votes for the three logout specs soon<o:p></o:p></p>
<p class="MsoNormal"> Mike needs to update the Back-Channel Logout draft to use the latest SecEvent syntax first<o:p></o:p></p>
<p class="MsoNormal"> FAPI is almost ready to submit for votes as well<o:p></o:p></p>
<p class="MsoNormal"> Nat (as WG chair) will get Mike (as secretary) the drafts and announcement text<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">OpenID Connect Federation spec<o:p></o:p></p>
<p class="MsoNormal"> Roland reported that several people in the GEANT project are doing implementations in different languages<o:p></o:p></p>
<p class="MsoNormal"> The plan is to do interop and test the theoretical model in reality<o:p></o:p></p>
<p class="MsoNormal"> People wonder whether the key handling will be too complicated for administrators<o:p></o:p></p>
<p class="MsoNormal"> Mike asked whether it is still asymmetric with one OP and multiple RPs<o:p></o:p></p>
<p class="MsoNormal"> Roland said that it's now symmetric<o:p></o:p></p>
<p class="MsoNormal"> People are happy that it supports multiple federations explicitly<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Connect Errata<o:p></o:p></p>
<p class="MsoNormal"> Mike still has a few edits to do<o:p></o:p></p>
<p class="MsoNormal"> Eventually we will want to use the OAuth AS Metadata registry in our Discovery spec<o:p></o:p></p>
<p class="MsoNormal"> Mike and Phil had a side conversation about moving the AS Metadata spec forward<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Issues<o:p></o:p></p>
<p class="MsoNormal"> https://bitbucket.org/openid/connect/issues?status=new&status=open<o:p></o:p></p>
<p class="MsoNormal"> #1000: Logout Token has wrong mandatory field (sub vs. jti)<o:p></o:p></p>
<p class="MsoNormal"> Previously discussed. Now assigned to Mike.<o:p></o:p></p>
<p class="MsoNormal"> #1002: Clarify meaning of exp claim in ID Token<o:p></o:p></p>
<p class="MsoNormal"> Previously discussed. Now assigned to Mike.<o:p></o:p></p>
<p class="MsoNormal"> #1003: Document possible impacts of disabling third-party cookies on front-channel logout<o:p></o:p></p>
<p class="MsoNormal"> The working group is seeking more information on things that work and don't<o:p></o:p></p>
<p class="MsoNormal"> #1004: Core 8.1 Pairwise identifier algorithm and native apps<o:p></o:p></p>
<p class="MsoNormal"> The working group should look at this<o:p></o:p></p>
<p class="MsoNormal"> #1005: Clarify "left truncated SHA-2 hash" in section on symmetric encryption<o:p></o:p></p>
<p class="MsoNormal"> Editorial. Assigned to Mike.<o:p></o:p></p>
<p class="MsoNormal"> #1006: Clarify text in Third Party Initiated Login<o:p></o:p></p>
<p class="MsoNormal"> Mike will propose language<o:p></o:p></p>
<p class="MsoNormal"> John pointed out that we need warning language about 3rd party logout due to the mix-up attack<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next Call<o:p></o:p></p>
<p class="MsoNormal"> The call is scheduled for Monday at 3pm Pacific time but too many people will be on vacation<o:p></o:p></p>
<p class="MsoNormal"> We will cancel that one<o:p></o:p></p>
<p class="MsoNormal"> We will try to have the call on Thursday the 22nd in two weeks<o:p></o:p></p>
<p class="MsoNormal"> We are also cancelling the call on December 26th<o:p></o:p></p>
</div>
</body>
</html>