<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-AU" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Couple of comments on openid-connect-session-1_0:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">1.<o:p></o:p></p>
<p class="MsoNormal">I assumed the “exp” (expiry) member in an id_token indicates a when the RP can accept the id_token to
<i>start</i> a session. It would typically be minutes after when the id_token was issued. The user’s session with the OP and its session with the RP could last for much longer.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">However, §4. “Session Status Change Notification” says “the RP MAY rely on it [id_token expiration date] to expire the RP session”. The next sentence talks about a situation where the user logout of the OP before the id_token expires, and
the text goes on to imply this is the motivation for this session management spec.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">2.<o:p></o:p></p>
<p class="MsoNormal">§4.1. “RP iframe” says the “RP MUST perform re-authentication with prompt=none”, but then in the next paragraph says the RP “SHOULD first try a prompt=none request”. The MUST & SHOULD seem to clash.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">3.<o:p></o:p></p>
<p class="MsoNormal">The abstract could be more useful. It says too much about OIDC generically and too little about the session management spec. Its first paragraph is not about the session management spec at all, just generic OIDC words. Drop that from the
abstract, though it’s ok in the introduction. The abstract should mention the OP, RP, and iframes. My suggestion:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> This specification defines mechanisms that allow a user’s sessions at an OpenID Provider<o:p></o:p></p>
<p class="MsoNormal"> and a relying party to be coordinated. It allows a logout at one to be appropriately handled<o:p></o:p></p>
<p class="MsoNormal"> at the other. Efficient interactions while avoiding excessive polling are achieved by posting<o:p></o:p></p>
<p class="MsoNormal"> messages between iframes.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[Perhaps “relying parties” (plural) in the abstract would be even better?]<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-AU">--<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-AU">James Manger<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>