<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Spec call notes 19-Jan-17<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">John Bradley<o:p></o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Roland Hedberg<o:p></o:p></p>
<p class="MsoNormal">Phil Hunt<o:p></o:p></p>
<p class="MsoNormal">George Fletcher<o:p></o:p></p>
<p class="MsoNormal">Brian Campbell<o:p></o:p></p>
<p class="MsoNormal">Rich Levinson<o:p></o:p></p>
<p class="MsoNormal">Nat Sakimura<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Agenda<o:p></o:p></p>
<p class="MsoNormal"> Certification Update<o:p></o:p></p>
<p class="MsoNormal"> Backchannel Logout<o:p></o:p></p>
<p class="MsoNormal"> Logout Implementer's Draft Votes<o:p></o:p></p>
<p class="MsoNormal"> AppAuth Fork<o:p></o:p></p>
<p class="MsoNormal"> Federation Spec<o:p></o:p></p>
<p class="MsoNormal"> Open Issues<o:p></o:p></p>
<p class="MsoNormal"> Next Call<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Certification Update<o:p></o:p></p>
<p class="MsoNormal"> There are 4 RP certifications<o:p></o:p></p>
<p class="MsoNormal"> Nov Matake is also testing now<o:p></o:p></p>
<p class="MsoNormal"> Roland has deployed the new OP test tool on a virtual machine<o:p></o:p></p>
<p class="MsoNormal"> Ping is testing<o:p></o:p></p>
<p class="MsoNormal"> Edmund Jay has completed testing for NRI. The signatures are still needed.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Backchannel Logout<o:p></o:p></p>
<p class="MsoNormal"> Mike published an updated Backchannel Logout spec<o:p></o:p></p>
<p class="MsoNormal"> It is in sync with the current SecEvents spec<o:p></o:p></p>
<p class="MsoNormal"> It now allows either "sub" or "sid" or both<o:p></o:p></p>
<p class="MsoNormal"> It also removes some cut-and-paste text about the backchannel_logout_uri<o:p></o:p></p>
<p class="MsoNormal"> We can say that unless a "sid" is present, that the intent is to logout all sessions at that RP<o:p></o:p></p>
<p class="MsoNormal"> We can say that logout may involve clearing or revoking additional state associated with the session, such as security tokens<o:p></o:p></p>
<p class="MsoNormal"> Phil suggested that we do this in the security considerations<o:p></o:p></p>
<p class="MsoNormal"> George described different kinds of logouts that could be performed<o:p></o:p></p>
<p class="MsoNormal"> We should say that the messages originate from the OP and the OP may have done other cleanups as part of the logout<o:p></o:p></p>
<p class="MsoNormal"> RP-initiated logout is triggered by a different message, which applies to all logout messages<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Logout Implementer's Draft Votes<o:p></o:p></p>
<p class="MsoNormal"> Mike proposes that we start a one-week review process for implementer's draft votes for the logout specs<o:p></o:p></p>
<p class="MsoNormal"> We should include Session Management in the bundle<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">AppAuth Fork<o:p></o:p></p>
<p class="MsoNormal"> Mike Schwartz described an AppAuth fork he had made<o:p></o:p></p>
<p class="MsoNormal"> John said that there are Google-specific things in the example app - not in the mainline code<o:p></o:p></p>
<p class="MsoNormal"> Nat thinks that it's just Google-specific URLs - not Google-specific APIs<o:p></o:p></p>
<p class="MsoNormal"> John said that there is also the use of a Google configuration shortcut in the example app<o:p></o:p></p>
<p class="MsoNormal"> Others could submit pull requests to enable configuration with other OPs<o:p></o:p></p>
<p class="MsoNormal"> Nat thinks we may need to dig a little deeper<o:p></o:p></p>
<p class="MsoNormal"> Mike Schwartz pointed out that the AppAuth code is not validating the ID Token signature<o:p></o:p></p>
<p class="MsoNormal"> George thought that we should merge that in<o:p></o:p></p>
<p class="MsoNormal"> John said that AppAuth is code flow only, so this isn't a security risk per-se<o:p></o:p></p>
<p class="MsoNormal"> John said that we should do this in the client<o:p></o:p></p>
<p class="MsoNormal"> John said that Adam Dawes was worried about lazy developers who might pass a validated ID Token to a server that then would not validate it<o:p></o:p></p>
<p class="MsoNormal"> John thought that we should still check it in the client and also check it other places it is passed<o:p></o:p></p>
<p class="MsoNormal"> Mike Jones said that this is about communication within the app and that we might want to document best practices for that pattern<o:p></o:p></p>
<p class="MsoNormal"> If Mike Schwartz made a pull request for the signature validation across platforms, we would appreciate that<o:p></o:p></p>
<p class="MsoNormal"> John said that there is interest in an AppAuth version for the Windows Universal Platform<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Federation Spec<o:p></o:p></p>
<p class="MsoNormal"> Roland reported that a number of parties are starting pilots using the current federation draft<o:p></o:p></p>
<p class="MsoNormal"> There's one in Europe, one in the US, and one in Australia/New Zealand<o:p></o:p></p>
<p class="MsoNormal"> The Kantara Otto working group is also using the draft<o:p></o:p></p>
<p class="MsoNormal"> The metadata statements have lifetimes on them - usually related to the signature lifetimes<o:p></o:p></p>
<p class="MsoNormal"> There isn't currently a way to revoke them<o:p></o:p></p>
<p class="MsoNormal"> There isn't a globally unique identifier for an entity, which some want for accounting purposes<o:p></o:p></p>
<p class="MsoNormal"> John said that we have issuer for OPs - this is only a problem for RPs<o:p></o:p></p>
<p class="MsoNormal"> Having this would let you do revocation based on a blacklist of entity IDs<o:p></o:p></p>
<p class="MsoNormal"> Roland is also writing tests for the draft<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Issues<o:p></o:p></p>
<p class="MsoNormal"> There are no new open issues<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next Call<o:p></o:p></p>
<p class="MsoNormal"> The next call is Monday, January 23rd at 3pm Pacific<o:p></o:p></p>
</div>
</body>
</html>