<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
<div class="WordSection1">
<p class="MsoNormal">Resending…</p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="border:none;padding:0in"><b>From: </b><a href="mailto:Michael.Jones@microsoft.com">Mike Jones</a><br>
<b>Sent: </b>Thursday, December 22, 2016 8:18 AM<br>
<b>To: </b><a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject: </b>Spec call notes 22-Dec-16</p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div class="WordSection1">
<p class="MsoNormal">Spec call notes 22-Dec-16<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">John Bradley<o:p></o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Brian Campbell<o:p></o:p></p>
<p class="MsoNormal">Rich Levinson<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Agenda<o:p></o:p></p>
<p class="MsoNormal"> Certification Update<o:p></o:p></p>
<p class="MsoNormal"> Logout<o:p></o:p></p>
<p class="MsoNormal"> OAuth Threats Paper<o:p></o:p></p>
<p class="MsoNormal"> Prateek's E-mail on Certification Requirements<o:p></o:p></p>
<p class="MsoNormal"> Open Issues<o:p></o:p></p>
<p class="MsoNormal"> Next Call<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Issues<o:p></o:p></p>
<p class="MsoNormal"> #1004 Core 8.1 Pairwise identifier algorithm and native apps<o:p></o:p></p>
<p class="MsoNormal"> We discussed that custom scheme URIs can include hostnames<o:p></o:p></p>
<p class="MsoNormal"> It is possible to register a sector identifier that refers to your custom schemes<o:p></o:p></p>
<p class="MsoNormal"> Assigned to John to discuss registering sector identifiers for this case<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Certification Update<o:p></o:p></p>
<p class="MsoNormal"> We now have three RP certifications registered, with more expected shortly<o:p></o:p></p>
<p class="MsoNormal"> Yahoo! Japan has certified their OP<o:p></o:p></p>
<p class="MsoNormal"> Verizon has certified their OP<o:p></o:p></p>
<p class="MsoNormal"> We will discuss new certification profiles in January<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Logout<o:p></o:p></p>
<p class="MsoNormal"> Mike needs to update Backchannel Logout to use the current version of the ID Events spec<o:p></o:p></p>
<p class="MsoNormal"> After that, we should have an Implementer's Draft vote<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">OAuth Threats Paper<o:p></o:p></p>
<p class="MsoNormal"> Rich brought up the paper by Chinese researchers on OAuth threats<o:p></o:p></p>
<p class="MsoNormal"> "Exploiting OAuth 2.0 Protocol in Mobile Applications"<o:p></o:p></p>
<p class="MsoNormal"> https://www.enisa.europa.eu/publications/info-notes/exploiting-oauth-2-0-protocol-in-mobile-applications<o:p></o:p></p>
<p class="MsoNormal"> John has interacted with them to some extent<o:p></o:p></p>
<p class="MsoNormal"> The problem is that people are doing things beyond what the OAuth and Connect specs describe<o:p></o:p></p>
<p class="MsoNormal"> In fact, many of the things described are precluded by the specs<o:p></o:p></p>
<p class="MsoNormal"> John believes that Google is planning communication to their developers on this topic<o:p></o:p></p>
<p class="MsoNormal"> John said that we could document a pattern on this that can then be secured and is testable<o:p></o:p></p>
<p class="MsoNormal"> This would involve RPs being OAuth Servers to protect their APIs<o:p></o:p></p>
<p class="MsoNormal"> John had also raised this at the IETF OAuth meeting<o:p></o:p></p>
<p class="MsoNormal"> Not much interest was expressed there<o:p></o:p></p>
<p class="MsoNormal"> In fact, some people felt that documenting an arguably bad practice would be counterproductive<o:p></o:p></p>
<p class="MsoNormal"> Brian said that people that don't check signatures aren't likely to adopt new specs anyway<o:p></o:p></p>
<p class="MsoNormal"> Brian said that we should try to discourage large providers from promoting this pattern<o:p></o:p></p>
<p class="MsoNormal"> John said that this pattern also often involves use of proprietary APIs, such as custom introspection endpoints<o:p></o:p></p>
<p class="MsoNormal"> Mike asked if there was a public blog post or other document responding to this that we could refer people to<o:p></o:p></p>
<p class="MsoNormal"> John said that William Denniss is supposed to be working on one<o:p></o:p></p>
<p class="MsoNormal"> John will follow up with William about this<o:p></o:p></p>
<p class="MsoNormal"> John said that Ping is also planning developer communications on this topic<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Prateek's E-mail on Certification Requirements<o:p></o:p></p>
<p class="MsoNormal"> Mike had responded to the e-mail saying that the test tool displays the mandatory tests for each response type<o:p></o:p></p>
<p class="MsoNormal"> Rich hoped there would be links from the tests to mandatory spec language<o:p></o:p></p>
<p class="MsoNormal"> Mike said that this is present in the RP Certification suite<o:p></o:p></p>
<p class="MsoNormal"> Mike agreed that it would be good to add this to the OP Certification software<o:p></o:p></p>
<p class="MsoNormal"> Mike will document the color coding on the list<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next Call<o:p></o:p></p>
<p class="MsoNormal"> Our next call is Thursday, Jan 5, 2017 at 7am Pacific<o:p></o:p></p>
</div>
</div>
</body>
</html>