<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Spec call notes 15-Feb-18<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Rich Levinson<o:p></o:p></p>
<p class="MsoNormal">Roland Hedberg<o:p></o:p></p>
<p class="MsoNormal">Pamela Dingle<o:p></o:p></p>
<p class="MsoNormal">George Fletcher<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Agenda:<o:p></o:p></p>
<p class="MsoNormal"> Federation Implementation Work<o:p></o:p></p>
<p class="MsoNormal"> New Python and other RP libraries<o:p></o:p></p>
<p class="MsoNormal"> OAuth AS Metadata Draft<o:p></o:p></p>
<p class="MsoNormal"> Open Issues<o:p></o:p></p>
<p class="MsoNormal"> All Other Business<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Federation Implementation Work<o:p></o:p></p>
<p class="MsoNormal"> Roland reported on implementation work for OpenID Connect Federation<o:p></o:p></p>
<p class="MsoNormal"> Some pilots are starting<o:p></o:p></p>
<p class="MsoNormal"> Need RP libraries supporting the federation draft<o:p></o:p></p>
<p class="MsoNormal"> Roland is doing Python support<o:p></o:p></p>
<p class="MsoNormal"> Updates to AppAuth for Android and iOS libraries are in progress<o:p></o:p></p>
<p class="MsoNormal"> Need OPs<o:p></o:p></p>
<p class="MsoNormal"> Two Finnish developers are working on extensions to Shibboleth<o:p></o:p></p>
<p class="MsoNormal"> Adding OpenID Connect protocol support<o:p></o:p></p>
<p class="MsoNormal"> Also adding Federation draft support<o:p></o:p></p>
<p class="MsoNormal"> Started with Implicit flow; now working on Code flow<o:p></o:p></p>
<p class="MsoNormal"> Running the certification tests concurrently with development<o:p></o:p></p>
<p class="MsoNormal"> Proxy<o:p></o:p></p>
<p class="MsoNormal"> It is possible to proxy between combinations of SAML and OpenID Connect<o:p></o:p></p>
<p class="MsoNormal"> Developed by a group of people in the Identity Python consortium<o:p></o:p></p>
<p class="MsoNormal"> For instance, NIH, which creates virtual organizations, is using it<o:p></o:p></p>
<p class="MsoNormal"> Used in higher education community<o:p></o:p></p>
<p class="MsoNormal"> Can place in front of a SAML IdP to get a Federation-aware OP<o:p></o:p></p>
<p class="MsoNormal"> Signing Services<o:p></o:p></p>
<p class="MsoNormal"> Need services to sign metadata<o:p></o:p></p>
<p class="MsoNormal"> Roland and an Italian developer are doing this work<o:p></o:p></p>
<p class="MsoNormal"> Need to have ways to handle lost and compromised keys<o:p></o:p></p>
<p class="MsoNormal"> Can either have revocation service or short trust lifetime<o:p></o:p></p>
<p class="MsoNormal"> Working on key rollover at all levels<o:p></o:p></p>
<p class="MsoNormal"> Handful of Pilots will get started<o:p></o:p></p>
<p class="MsoNormal"> Want to have dynamic registration in a trusted manner<o:p></o:p></p>
<p class="MsoNormal"> Not anonymous dynamic registration<o:p></o:p></p>
<p class="MsoNormal"> ITTF - High Energy Physicists - is an early adopter<o:p></o:p></p>
<p class="MsoNormal"> Big science projects are many of the first adopters<o:p></o:p></p>
<p class="MsoNormal"> SWAMID (Swedish federation) will start a pilot in the fall<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">New Python and other RP libraries<o:p></o:p></p>
<p class="MsoNormal"> Roland reported on new RP libraries being developed<o:p></o:p></p>
<p class="MsoNormal"> Google observed that people have difficulty deploying correct RPs<o:p></o:p></p>
<p class="MsoNormal"> People are often not doing security as they should<o:p></o:p></p>
<p class="MsoNormal"> For instance, not verifying ID Tokens<o:p></o:p></p>
<p class="MsoNormal"> Google is sponsoring new libraries that will be certified<o:p></o:p></p>
<p class="MsoNormal"> Python, Java, JavaScript<o:p></o:p></p>
<p class="MsoNormal"> They will support not just required tests but also other functionality<o:p></o:p></p>
<p class="MsoNormal"> For instance, support for request and request_uri<o:p></o:p></p>
<p class="MsoNormal"> Support for more than just RSA crypto<o:p></o:p></p>
<p class="MsoNormal"> People should not avoid libraries because they are lacking functionality<o:p></o:p></p>
<p class="MsoNormal"> By default, libraries will be as secure as possible<o:p></o:p></p>
<p class="MsoNormal"> For instance, not using "alg":"none"<o:p></o:p></p>
<p class="MsoNormal"> Roland is the chief designer and implementer of the Python library<o:p></o:p></p>
<p class="MsoNormal"> Other programmers are implementing the Java and JavaScript libraries<o:p></o:p></p>
<p class="MsoNormal"> The plan to finish by the Google I/O conference in middle of May<o:p></o:p></p>
<p class="MsoNormal"> They are open source and not the property of Google<o:p></o:p></p>
<p class="MsoNormal"> The OpenID Foundation and the Connect WG are targeted as hosts for the code<o:p></o:p></p>
<p class="MsoNormal"> We want to have communities of invested experts who maintain the libraries<o:p></o:p></p>
<p class="MsoNormal"> George: We want to have communities that actively review PRs and do new releases<o:p></o:p></p>
<p class="MsoNormal"> For instance, there is a team of four committers on the old Python library<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">OAuth AS Metadata Draft<o:p></o:p></p>
<p class="MsoNormal"> Mike still needs to produce an updated draft for the Area Directors<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Issues<o:p></o:p></p>
<p class="MsoNormal"> https://bitbucket.org/openid/connect/issues?status=new&status=open<o:p></o:p></p>
<p class="MsoNormal"> No new open issues<o:p></o:p></p>
<p class="MsoNormal"> Owners are assigned to all current issues<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">All Other Business<o:p></o:p></p>
<p class="MsoNormal"> George asked whether people sometimes implement logins without setting cookies<o:p></o:p></p>
<p class="MsoNormal"> For instance, to allow non-conflicting simultaneous logins with different accounts<o:p></o:p></p>
<p class="MsoNormal"> Those on the call didn't have experience with doing this<o:p></o:p></p>
<p class="MsoNormal"> Pam said that if George writes it up she could ask Ping's field deployers about it<o:p></o:p></p>
<p class="MsoNormal"> George and Rich described situations in which social login results in surprising behaviors<o:p></o:p></p>
<p class="MsoNormal"> Staying logged into the social IdP even after logging out of the RP<o:p></o:p></p>
<p class="MsoNormal"> George said you certainly don't want to set persistent cookies on public computers<o:p></o:p></p>
<p class="MsoNormal"> George asked whether people have integrated Vectors of Trust with OpenID Connect<o:p></o:p></p>
<p class="MsoNormal"> No one had done this<o:p></o:p></p>
<p class="MsoNormal"> Pam said that they're working more on continuous authentication, rather than VoT<o:p></o:p></p>
<p class="MsoNormal"> She'd be interested in seeing integration between those<o:p></o:p></p>
<p class="MsoNormal"> George asked about getting updated ID Tokens after the initial authentication<o:p></o:p></p>
<p class="MsoNormal"> Pam suggested possibly using Client-Initiated Backchannel Authentication (CIBA)<o:p></o:p></p>
<p class="MsoNormal"> Pam recommends that Connect experts read the MODRNA CIBA spec<o:p></o:p></p>
<p class="MsoNormal"> http://openid.net/specs/openid-connect-modrna-client-initiated-backchannel-authentication-1_0.html<o:p></o:p></p>
<p class="MsoNormal"> Especially because it is returning an ID Token<o:p></o:p></p>
<p class="MsoNormal"> Open Banking people want to use it to solve headless flows<o:p></o:p></p>
</div>
</body>
</html>