<div dir="ltr"><div><div><div dir="ltr"><span style="font-size:small;text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Mike, </span></div><div dir="ltr"><span style="font-size:small;text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></div><div dir="ltr"><span style="font-size:small;text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">The OpenID Process is available from </span><a href="https://openid.net/intellectual-property/" style="color:rgb(17,85,204);font-size:small" target="_blank">https://openid.net/intellectual-property/</a><div style="font-size:small;text-decoration-style:initial;text-decoration-color:initial">The direct links are: </div><div style="font-size:small;text-decoration-style:initial;text-decoration-color:initial"><br></div><font size="4"><a href="https://openid.net/wordpress-content/uploads/2010/01/OpenID_Process_Document_December_2009_Final_Approved.doc" style="color:rgb(247,140,64);text-decoration:none;font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background-color:rgb(250,250,250)" target="_blank">OpenID Process – Word Doc</a><br style="text-decoration-style:initial;text-decoration-color:initial;color:rgb(90,90,90);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background-color:rgb(250,250,250)"><a href="https://openid.net/wordpress-content/uploads/2010/01/OpenID_Process_Document_December_2009_Final_Approved.pdf" style="color:rgb(247,140,64);text-decoration:none;font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background-color:rgb(250,250,250)" target="_blank">OpenID Process – PDF</a></font><div style="font-size:small;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="font-size:small;text-decoration-style:initial;text-decoration-color:initial">Since you have agreed to the Contribution Agreement which fully incorporates it, you must have read it. </div><div style="font-size:small;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="font-size:small;text-decoration-style:initial;text-decoration-color:initial">These processes have been there and clearly published since December 2009. <br></div><div style="font-size:small;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="font-size:small;text-decoration-style:initial;text-decoration-color:initial"><div style="font-size:small;text-decoration-style:initial;text-decoration-color:initial">The WG process is defined as intra-WG decisions. </div><div style="font-size:small;text-decoration-style:initial;text-decoration-color:initial">It is a consensus (not unanimous) process. We almost never vote. Needing to vote actually is a sign of failure. That's in line with the WTO TBT Treaty for the process to be followed by an international standardization organization. </div></div><div style="font-size:small;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="font-size:small;text-decoration-style:initial;text-decoration-color:initial">Let me quote this from the process document: </div><div style="font-size:small;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="font-size:small;text-decoration-style:initial;text-decoration-color:initial"><i>3.3 Consensus. Consensus is a core WG value. To promote consensus, Editors should encourage consideration and resolution of all legitimate comments of Contributors. All Intra-WG decisions will optimally be made by determining consensus, without formal vote. Editor(s) will assess consensus without a formal vote and, when a proposal is pending, may interpret silence of those who have received proper notice (or who are present) as assent. Consensus does not imply unanimity, although there should be substantial support for consensus decisions. For Intra-WG, Core Decisions, consensus should reasonably reflect the opinion of a Supermajority of Contributors to the applicable WG, after reasonable inquiry by the Editors. For Intra-WG, Non-Core Decisions, consensus should reflect the opinion of a majority of Contributors actually expressing an opinion. . If a decision cannot be made by consensus, the WG should defer decision until consensus can be reached. If deferral would prejudice a WG’s work, however, the Editor(s) may call a formal vote in accordance with §3.4. </i><br></div><div style="font-size:small;text-decoration-style:initial;text-decoration-color:initial" dir="auto"><br></div><div style="font-size:small;text-decoration-style:initial;text-decoration-color:initial" dir="auto">In this particular incident, I, as a chair of AB/Connect WG, had to do some digging up if the process was followed. (Note: I am not an Editor.) It took longer than I thought. Sorry for the delay. </div><div style="font-size:small;text-decoration-style:initial;text-decoration-color:initial" dir="auto"><br></div><div style="text-decoration-style:initial;text-decoration-color:initial" dir="auto"><div style="font-family:-webkit-standard" dir="auto"><span style="color:rgb(49,49,49);font-family:-apple-system,HelveticaNeue;word-spacing:1px">According to my research, the editors solicited comments on January 31 on the draft both in the form of email [1] and as an</span><span style="color:rgb(49,49,49);font-family:-apple-system,HelveticaNeue;word-spacing:1px"> </span><a href="http://openid.net/" style="font-family:-apple-system,HelveticaNeue;word-spacing:1px" target="_blank">openid.net</a><span style="color:rgb(49,49,49);font-family:-apple-system,HelveticaNeue;word-spacing:1px"> </span><span style="color:rgb(49,49,49);font-family:-apple-system,HelveticaNeue;word-spacing:1px">post [2]. </span></div><div style="font-size:16px;color:rgb(49,49,49);word-spacing:1px" dir="auto"><br></div><div style="font-size:1rem;color:rgb(49,49,49);word-spacing:1px" dir="auto"><div>[1] <a href="http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20180129/006706.html" style="font-size:1rem" target="_blank">http://lists.openid.net/</a><a href="http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20180129/006706.html" style="font-size:1rem" target="_blank">pipermail/openid-specs-ab/</a><a href="http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20180129/006706.html" style="font-size:1rem" target="_blank">Week-of-Mon-20180129/006706.</a><a href="http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20180129/006706.html" style="font-size:1rem" target="_blank">html</a></div><div></div></div><div style="font-size:1rem;color:rgb(49,49,49);word-spacing:1px" dir="auto"><div>[2] <a href="http://openid.net/2018/01/31/openid-connect-federation-draft-04/" style="font-size:1rem" target="_blank">http://openid.net/2018/01/31/</a><a href="http://openid.net/2018/01/31/openid-connect-federation-draft-04/" style="font-size:1rem" target="_blank">openid-connect-federation-</a><a href="http://openid.net/2018/01/31/openid-connect-federation-draft-04/" style="font-size:1rem" target="_blank">draft-04/</a> <span style="font-size:1rem">. </span></div></div><div style="font-size:16px;color:rgb(49,49,49);word-spacing:1px" dir="auto"><br></div><div style="color:rgb(49,49,49);word-spacing:1px" dir="auto">These counts as proper notices. </div><div style="color:rgb(49,49,49);word-spacing:1px" dir="auto"><br></div><div style="color:rgb(49,49,49);word-spacing:1px" dir="auto">There has been no response to it. </div><div style="color:rgb(49,49,49);word-spacing:1px" dir="auto"><br></div><div style="color:rgb(49,49,49);word-spacing:1px" dir="auto">As quoted above, Section 3.3 of the process document states: </div><div style="color:rgb(49,49,49);word-spacing:1px" dir="auto"><br></div><div style="color:rgb(49,49,49);word-spacing:1px" dir="auto"><i>Editor(s) will assess consensus without a formal vote and, when a proposal is pending, may interpret silence of those who have received proper notice (or who are present) as assent. </i></div><div style="color:rgb(49,49,49);word-spacing:1px" dir="auto"><br></div><div style="color:rgb(49,49,49);word-spacing:1px" dir="auto">It was only after the 45 days public review for the implementer's draft has been announced that the comments started to come in. </div><div style="color:rgb(49,49,49);word-spacing:1px" dir="auto">For those comments, the editors agreed to address them in the next revision. As a chair, I would strongly advise the commenters to post those issues in the issue tracker so that editors will not forget about them. </div><div style="font-family:-webkit-standard" dir="auto"></div></div><div style="text-decoration-style:initial;text-decoration-color:initial" dir="auto"><br></div><div style="text-decoration-style:initial;text-decoration-color:initial" dir="auto"><div style="font-family:-webkit-standard;word-spacing:1px" dir="auto"><div style=""><span style="color:rgb(49,49,49);font-family:-apple-system,HelveticaNeue">Note that all the drafts are out there for technical comments solicitation. Otherwise, there is no value in having it there. </span></div></div><div style="font-family:-webkit-standard;word-spacing:1px" dir="auto"><span style="color:rgb(49,49,49);font-family:-apple-system,HelveticaNeue">Editorial comments can wait until later stage but technical comments need to be in as soon as it is noticed. </span></div><div style="font-family:-webkit-standard;word-spacing:1px" dir="auto"><span style="color:rgb(49,49,49);font-family:-apple-system,HelveticaNeue">You can always file issues in the tracker. <u><b>It is the responsibility of the WG members to do so the soonest possible</b></u>. </span></div><div style="font-family:-webkit-standard;word-spacing:1px" dir="auto"><span style="color:rgb(49,49,49);font-family:-apple-system,HelveticaNeue">Then, it will be treated. </span></div><div style="font-size:1rem;font-family:-webkit-standard;word-spacing:1px" dir="auto"><span style="font-size:1rem;color:rgb(49,49,49);font-family:-apple-system,HelveticaNeue"><br></span></div><div style="font-family:-webkit-standard;word-spacing:1px" dir="auto"><span style="color:rgb(49,49,49);font-family:-apple-system,HelveticaNeue">If you are not sure if that is a valid issue and first want to consult the list or calls, you can do so as well. </span></div><div style="font-family:-webkit-standard;word-spacing:1px" dir="auto"><span style="color:rgb(49,49,49);font-family:-apple-system,HelveticaNeue">But, at the end of the day, issues have to be filed to the tracker if it needs treatment. </span></div><div style="font-family:-webkit-standard;word-spacing:1px" dir="auto"><span style="color:rgb(49,49,49);font-family:-apple-system,HelveticaNeue">These will be discussed in the calls as well as in the tracker. </span></div><div style="font-family:-webkit-standard;word-spacing:1px" dir="auto"><br style="color:rgb(49,49,49)"></div><div style="font-family:-webkit-standard;word-spacing:1px" dir="auto"><span style="color:rgb(49,49,49);font-family:-apple-system,HelveticaNeue">As Mike Jones apologized in the list, for this particular case, the notification from the editors to the WG did not go as clear as I had wished. That’s one of the reasons why it took me so long to dig things up. It could have been done better. </span></div><div style="font-family:-webkit-standard;word-spacing:1px" dir="auto"><span style="color:rgb(49,49,49);font-family:-apple-system,HelveticaNeue"><br></span></div><div style="font-family:-webkit-standard;word-spacing:1px" dir="auto"><span style="color:rgb(49,49,49);font-family:-apple-system,HelveticaNeue">However, I would strongly object to your comment that the WG processes are not published nor WG consensus is almost never called. </span></div><div style="word-spacing:1px" dir="auto"><font color="#313131">The process has always been published and is fully incorporated in the contribution agreement <b>that you have signed</b>. </font></div><div style="word-spacing:1px" dir="auto"><font color="#313131"><br></font></div><div style="word-spacing:1px" dir="auto"><font color="#313131" style="">“WG consensus call” is not necessary as it is something that editor should measure. However, in many cases, for the measurement purposes, editors have been calling for it. For example, I can find such note from Mike Jones for logout implementer's drafts sent out on Jan 26, 2017. Or at least for FAPI WG, these can be evidently read from the meeting notes as well as on the list archive. </font></div><div style="word-spacing:1px" dir="auto"><font color="#313131"><br></font></div><div style="word-spacing:1px" dir="auto"><font color="#313131">Best regards, </font></div><div style="word-spacing:1px" dir="auto"><font color="#313131"><br></font></div><div style="word-spacing:1px" dir="auto"><font color="#313131" style="">Nat Sakimura </font></div></div><br></div></div><div></div></div><div><div><br><div class="gmail_quote"><div dir="ltr">On Sat, Jul 21, 2018 at 1:53 AM Mike Schwartz via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">"That said I have complained many times because of issues like this that <br>
the WG processes are not published and wg consensus is almost never <br>
called. There is too much rush to implementation without a last call. <br>
This is a serious problem the board must resolve."<br>
<br>
Thank you Phil. That's exactly what I was pointing out.<br>
<br>
- Mike<br>
<br>
<br>
------------------------<br>
Michael Schwartz<br>
Gluu<br>
Founder / CEO<br>
<a href="mailto:mike@gluu.org" target="_blank">mike@gluu.org</a><br>
<a href="https://www.linkedin.com/in/nynymike/" rel="noreferrer" target="_blank">https://www.linkedin.com/in/nynymike/</a><br>
<br>
On 2018-07-20 10:19, <a href="mailto:openid-specs-ab-request@lists.openid.net" target="_blank">openid-specs-ab-request@lists.openid.net</a> wrote:<br>
> Send Openid-specs-ab mailing list submissions to<br>
> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br>
> <br>
> To subscribe or unsubscribe via the World Wide Web, visit<br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
> or, via email, send a message with subject or body 'help' to<br>
> <a href="mailto:openid-specs-ab-request@lists.openid.net" target="_blank">openid-specs-ab-request@lists.openid.net</a><br>
> <br>
> You can reach the person managing the list at<br>
> <a href="mailto:openid-specs-ab-owner@lists.openid.net" target="_blank">openid-specs-ab-owner@lists.openid.net</a><br>
> <br>
> When replying, please edit your Subject line so it is more specific<br>
> than "Re: Contents of Openid-specs-ab digest..."<br>
> <br>
> <br>
> Today's Topics:<br>
> <br>
> 1. Re: Please Either ABSTAIN or OBJECT from the Federation Spec<br>
> Vote (Phil Hunt)<br>
> 2. Re: Please Either ABSTAIN or OBJECT from the Federation Spec<br>
> Vote (Nick Roy)<br>
> <br>
> <br>
> ----------------------------------------------------------------------<br>
> <br>
> Message: 1<br>
> Date: Fri, 20 Jul 2018 08:17:26 -0700<br>
> From: Phil Hunt <<a href="mailto:phil.hunt@oracle.com" target="_blank">phil.hunt@oracle.com</a>><br>
> To: Nick Roy <<a href="mailto:nroy@internet2.edu" target="_blank">nroy@internet2.edu</a>><br>
> Cc: <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br>
> Subject: Re: [Openid-specs-ab] Please Either ABSTAIN or OBJECT from<br>
> the Federation Spec Vote<br>
> Message-ID: <<a href="mailto:7E5127BC-E880-4BC9-9F02-DF9600A129A8@oracle.com" target="_blank">7E5127BC-E880-4BC9-9F02-DF9600A129A8@oracle.com</a>><br>
> Content-Type: text/plain; charset=us-ascii<br>
> <br>
> <br>
> <br>
> Phil<br>
> <br>
>> On Jul 20, 2018, at 8:16 AM, Phil Hunt <<a href="mailto:phil.hunt@oracle.com" target="_blank">phil.hunt@oracle.com</a>> wrote:<br>
>> <br>
>> I agree with Nick. The correct process (as i sort of understand it) <br>
>> and discussion was followed.<br>
>> <br>
>> That said I have complained many times because of issues like this <br>
>> that the WG processes are not published and wg consensus is almost <br>
>> never called.<br>
>> <br>
>> There is too much rush to implementation without a last call.<br>
>> <br>
>> This is a serious problem the board must resolve.<br>
>> <br>
>> Phil<br>
>> <br>
>>> On Jul 20, 2018, at 7:34 AM, Nick Roy via Openid-specs-ab <br>
>>> <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br>
>>> <br>
>>> This time to the list...<br>
>>> <br>
>>>> On Jul 20, 2018, at 8:30 AM, Nick Roy <<a href="mailto:nroy@internet2.edu" target="_blank">nroy@internet2.edu</a>> wrote:<br>
>>>> <br>
>>>> Mike, I personally provided feedback to Roland which he incorporated<br>
>>>> into an updated draft over a year ago. The spec has been available <br>
>>>> in<br>
>>>> draft form in github for something like two years.<br>
>>>> <br>
>>>> Nick<br>
>>>> <br>
>>>> On 7/20/18 8:16 AM, Mike Schwartz via Openid-specs-ab wrote:<br>
>>>>>> And there's nothing that prevents that, just like there is nothing <br>
>>>>>> that<br>
>>>>>> prevented me from working on HEART if I wanted to.<br>
>>>>>> <br>
>>>>>> Nick<br>
>>>>> <br>
>>>>> Actually, you're wrong. And I'm pretty active in the OpenID Connect<br>
>>>>> community... I don't think anyone would say otherwise.<br>
>>>>> <br>
>>>>> None of the design decisions on this spec were put to any kind of <br>
>>>>> vote.<br>
>>>>> And as I pointed out previously, discussion was limited. It was a <br>
>>>>> take<br>
>>>>> it or leave it design. Being presented at a conference is not the <br>
>>>>> same<br>
>>>>> as getting a say in the process.<br>
>>>>> <br>
>>>>> It was a closed process, where Jones/Hedburg might or might take <br>
>>>>> your<br>
>>>>> suggestions, depending on their whim. It has the veneer of <br>
>>>>> openness, but<br>
>>>>> it's not actually open. It's a one party vote, take it or leave it.<br>
>>>>> <br>
>>>>> I can't start a spec and call it the "Connect AB Alternate <br>
>>>>> Federation<br>
>>>>> Spec" and have it published here <br>
>>>>> <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_connect_&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=jglkfzh43veJDEsRH8sokGmpsmrh2afbdzoPw7Z-XH0&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_connect_&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=jglkfzh43veJDEsRH8sokGmpsmrh2afbdzoPw7Z-XH0&e=</a> <br>
>>>>> So this<br>
>>>>> spec was given VERY special treatment, placement and promotion.<br>
>>>>> <br>
>>>>> Let's not call this an open process when it's not.<br>
>>>>> <br>
>>>>> - Mike<br>
>>>>> <br>
>>>>> <br>
>>>>> <br>
>>>>> ------------------------<br>
>>>>> Michael Schwartz<br>
>>>>> Gluu<br>
>>>>> Founder / CEO<br>
>>>>> <a href="mailto:mike@gluu.org" target="_blank">mike@gluu.org</a><br>
>>>>> <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_in_nynymike_&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=hpgFrnPt9eP5DCbWWSkhzDGGgkCLxqsYB5OxNoFp674&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_in_nynymike_&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=hpgFrnPt9eP5DCbWWSkhzDGGgkCLxqsYB5OxNoFp674&e=</a><br>
>>>>> <br>
>>>>>> On 2018-07-20 06:17, <a href="mailto:openid-specs-ab-request@lists.openid.net" target="_blank">openid-specs-ab-request@lists.openid.net</a> <br>
>>>>>> wrote:<br>
>>>>>> Send Openid-specs-ab mailing list submissions to<br>
>>>>>> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br>
>>>>>> <br>
>>>>>> To subscribe or unsubscribe via the World Wide Web, visit<br>
>>>>>> <br>
>>>>>> <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=vqMu4wpIOPufViYMGvzTtZtsynYxmLnmUHJCL88jWLY&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=vqMu4wpIOPufViYMGvzTtZtsynYxmLnmUHJCL88jWLY&e=</a><br>
>>>>>> or, via email, send a message with subject or body 'help' to<br>
>>>>>> <a href="mailto:openid-specs-ab-request@lists.openid.net" target="_blank">openid-specs-ab-request@lists.openid.net</a><br>
>>>>>> <br>
>>>>>> You can reach the person managing the list at<br>
>>>>>> <a href="mailto:openid-specs-ab-owner@lists.openid.net" target="_blank">openid-specs-ab-owner@lists.openid.net</a><br>
>>>>>> <br>
>>>>>> When replying, please edit your Subject line so it is more <br>
>>>>>> specific<br>
>>>>>> than "Re: Contents of Openid-specs-ab digest..."<br>
>>>>>> <br>
>>>>>> <br>
>>>>>> Today's Topics:<br>
>>>>>> <br>
>>>>>> 1. Re: Please Either ABSTAIN or OBJECT from the Federation Spec<br>
>>>>>> Vote (Nick Roy)<br>
>>>>>> 2. Issue #1032: rp-initiated logout - proposal for client_id<br>
>>>>>> parameter (openid/connect) (Filip Skokan)<br>
>>>>>> 3. Re: Issue #1032: rp-initiated logout - proposal for client_id<br>
>>>>>> parameter (openid/connect) (Vladimir Dzhuvinov)<br>
>>>>>> 4. Re: Issue #1032: rp-initiated logout - proposal for client_id<br>
>>>>>> parameter (openid/connect) (Filip Skokan)<br>
>>>>>> <br>
>>>>>> <br>
>>>>>> ----------------------------------------------------------------------<br>
>>>>>> <br>
>>>>>> Message: 1<br>
>>>>>> Date: Thu, 19 Jul 2018 18:05:45 +0000<br>
>>>>>> From: Nick Roy <<a href="mailto:nroy@internet2.edu" target="_blank">nroy@internet2.edu</a>><br>
>>>>>> To: "<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>"<br>
>>>>>> <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>><br>
>>>>>> Subject: Re: [Openid-specs-ab] Please Either ABSTAIN or OBJECT <br>
>>>>>> from<br>
>>>>>> the Federation Spec Vote<br>
>>>>>> Message-ID:<br>
>>>>>> <br>
>>>>>> <<a href="mailto:CY4PR08MB35449C06D30AE97F5188DDFA83520@CY4PR08MB3544.namprd08.prod.outlook.com" target="_blank">CY4PR08MB35449C06D30AE97F5188DDFA83520@CY4PR08MB3544.namprd08.prod.outlook.com</a>><br>
>>>>>> <br>
>>>>>> Content-Type: text/plain; charset="us-ascii"<br>
>>>>>> <br>
>>>>>> And there's nothing that prevents that, just like there is nothing <br>
>>>>>> that<br>
>>>>>> prevented me from working on HEART if I wanted to.<br>
>>>>>> <br>
>>>>>> Nick<br>
>>>>>> <br>
>>>>>>> On 7/19/18 10:43 AM, Mike Schwartz via Openid-specs-ab wrote:<br>
>>>>>>> Nick,<br>
>>>>>>> <br>
>>>>>>> I thought you had a good idea to move federation to its own WG.<br>
>>>>>>> <br>
>>>>>>> So of course, I'm all for OpenID federations. And I'm also really<br>
>>>>>>> interested in this proposed design. And I appreciate the work <br>
>>>>>>> done by<br>
>>>>>>> the current editors. It might be the best way. But I was never <br>
>>>>>>> given a<br>
>>>>>>> choice of A or B. I was just given a choice to approve A.<br>
>>>>>>> <br>
>>>>>>> I think the community should get a say in this design of this <br>
>>>>>>> spec.<br>
>>>>>>> <br>
>>>>>>> - Mike<br>
>>>>>>> <br>
>>>>>>> <br>
>>>>>>> <br>
>>>>>>>> it sounds like you aren't interested in working in an R&E <br>
>>>>>>>> working<br>
>>>>>>>> group.<br>
>>>>>>>> My understanding is that this WG will pursue R&E use cases for <br>
>>>>>>>> this<br>
>>>>>>>> profile. Since R&E is one of the largest users of multilateral <br>
>>>>>>>> SAML<br>
>>>>>>>> federation, I think exploring use of the OIDC Federation work in <br>
>>>>>>>> that<br>
>>>>>>>> space is a great next step.<br>
>>>>>>>> <br>
>>>>>>>> Nick<br>
>>>>>>>> <br>
>>>>>>> _______________________________________________<br>
>>>>>>> Openid-specs-ab mailing list<br>
>>>>>>> <a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
>>>>>>> <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=vqMu4wpIOPufViYMGvzTtZtsynYxmLnmUHJCL88jWLY&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=vqMu4wpIOPufViYMGvzTtZtsynYxmLnmUHJCL88jWLY&e=</a><br>
>>>>>>> <br>
>>>>>> <br>
>>>>>> <br>
>>>>>> ------------------------------<br>
>>>>>> <br>
>>>>>> Message: 2<br>
>>>>>> Date: Fri, 20 Jul 2018 08:10:50 +0000 (UTC)<br>
>>>>>> From: "Filip Skokan" <<a href="mailto:issues-reply@bitbucket.org" target="_blank">issues-reply@bitbucket.org</a>><br>
>>>>>> To: <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br>
>>>>>> Subject: [Openid-specs-ab] Issue #1032: rp-initiated logout - <br>
>>>>>> proposal<br>
>>>>>> for client_id parameter (openid/connect)<br>
>>>>>> Message-ID:<br>
>>>>>> <<a href="mailto:20180720081050.39616.17365@celery-worker-105.ash1.bb-inf.net" target="_blank">20180720081050.39616.17365@celery-worker-105.ash1.bb-inf.net</a>><br>
>>>>>> Content-Type: text/plain; charset="utf-8"<br>
>>>>>> <br>
>>>>>> New issue 1032: rp-initiated logout - proposal for client_id <br>
>>>>>> parameter<br>
>>>>>> <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_connect_issues_1032_rp-2Dinitiated-2Dlogout-2Dproposal-2Dfor-2Dclient-5Fid&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=XPovg09GXpcxWGyelD8zKNCUzJP71dmPh3bNGNK7k5w&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_connect_issues_1032_rp-2Dinitiated-2Dlogout-2Dproposal-2Dfor-2Dclient-5Fid&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=XPovg09GXpcxWGyelD8zKNCUzJP71dmPh3bNGNK7k5w&e=</a><br>
>>>>>> <br>
>>>>>> Filip Skokan:<br>
>>>>>> <br>
>>>>>> I'd like to request that a parameter (optional or required?) <br>
>>>>>> client_id<br>
>>>>>> is defined for rp-initiated logout request.<br>
>>>>>> <br>
>>>>>> rationale:<br>
>>>>>> <br>
>>>>>> Currently the id_token_hint is the only way of identifying the <br>
>>>>>> client<br>
>>>>>> that's making the request. In scenarios where a client does not <br>
>>>>>> yet<br>
>>>>>> have an id_token but makes a request to authenticate which fails <br>
>>>>>> (e.g.<br>
>>>>>> due to being requested with essential sub claim through claims) <br>
>>>>>> the<br>
>>>>>> next step will be to trigger an rp initiated logout with a <br>
>>>>>> registered<br>
>>>>>> post_logout_redirect_uri but without an id_token_hint. This can be<br>
>>>>>> problematic for OP deployments with a high number of clients as it <br>
>>>>>> is<br>
>>>>>> not efficient or sometimes even not possible to iterate over all <br>
>>>>>> of<br>
>>>>>> them to see if this post_logout_redirect_uri is whitelisted or <br>
>>>>>> not.<br>
>>>>>> Hence the client_id parameter to make this lookup possible and<br>
>>>>>> efficient.<br>
>>>>>> <br>
>>>>>> Further processing may be defined such as if both client_id and<br>
>>>>>> id_token_hint are provided the audience of the id_token_hint must<br>
>>>>>> include the client_id etc.<br>
>>>>>> <br>
>>>>>> <br>
>>>>>> <br>
>>>>>> <br>
>>>>>> ------------------------------<br>
>>>>>> <br>
>>>>>> Message: 3<br>
>>>>>> Date: Fri, 20 Jul 2018 14:01:29 +0300<br>
>>>>>> From: Vladimir Dzhuvinov <<a href="mailto:vladimir@connect2id.com" target="_blank">vladimir@connect2id.com</a>><br>
>>>>>> To: <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br>
>>>>>> Subject: Re: [Openid-specs-ab] Issue #1032: rp-initiated logout -<br>
>>>>>> proposal for client_id parameter (openid/connect)<br>
>>>>>> Message-ID: <<a href="mailto:14898981-27c9-8a85-91c8-77c93a931278@connect2id.com" target="_blank">14898981-27c9-8a85-91c8-77c93a931278@connect2id.com</a>><br>
>>>>>> Content-Type: text/plain; charset="utf-8"<br>
>>>>>> <br>
>>>>>> Hi Filip,<br>
>>>>>> <br>
>>>>>> My concern is that relying on the client_id opens up post logout<br>
>>>>>> redirection to potential misuse.<br>
>>>>>> <br>
>>>>>> IMO the OP shouldn't be picking any redirections if cannot be <br>
>>>>>> sure, to<br>
>>>>>> a<br>
>>>>>> satisfactory degree, that it's the legitimate RP making the call.<br>
>>>>>> <br>
>>>>>> The ID token isn't really a substitute for proper RP <br>
>>>>>> authentication,<br>
>>>>>> but<br>
>>>>>> it's some way towards that.<br>
>>>>>> <br>
>>>>>> A JWS request might help here, but it's probably too much to ask <br>
>>>>>> from<br>
>>>>>> RPs.<br>
>>>>>> <br>
>>>>>> Vladimir<br>
>>>>>> <br>
>>>>>> <br>
>>>>>>> On 20/07/18 11:10, Filip Skokan via Openid-specs-ab wrote:<br>
>>>>>>> New issue 1032: rp-initiated logout - proposal for client_id <br>
>>>>>>> parameter<br>
>>>>>>> <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_connect_issues_1032_rp-2Dinitiated-2Dlogout-2Dproposal-2Dfor-2Dclient-5Fid&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=XPovg09GXpcxWGyelD8zKNCUzJP71dmPh3bNGNK7k5w&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_connect_issues_1032_rp-2Dinitiated-2Dlogout-2Dproposal-2Dfor-2Dclient-5Fid&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=XPovg09GXpcxWGyelD8zKNCUzJP71dmPh3bNGNK7k5w&e=</a><br>
>>>>>>> <br>
>>>>>>> Filip Skokan:<br>
>>>>>>> <br>
>>>>>>> I'd like to request that a parameter (optional or required?) <br>
>>>>>>> client_id<br>
>>>>>>> is defined for rp-initiated logout request.<br>
>>>>>>> <br>
>>>>>>> rationale:<br>
>>>>>>> <br>
>>>>>>> Currently the id_token_hint is the only way of identifying the <br>
>>>>>>> client<br>
>>>>>>> that's making the request. In scenarios where a client does not <br>
>>>>>>> yet<br>
>>>>>>> have an id_token but makes a request to authenticate which fails <br>
>>>>>>> (e.g.<br>
>>>>>>> due to being requested with essential sub claim through claims) <br>
>>>>>>> the<br>
>>>>>>> next step will be to trigger an rp initiated logout with a <br>
>>>>>>> registered<br>
>>>>>>> post_logout_redirect_uri but without an id_token_hint. This can <br>
>>>>>>> be<br>
>>>>>>> problematic for OP deployments with a high number of clients as <br>
>>>>>>> it is<br>
>>>>>>> not efficient or sometimes even not possible to iterate over all <br>
>>>>>>> of<br>
>>>>>>> them to see if this post_logout_redirect_uri is whitelisted or <br>
>>>>>>> not.<br>
>>>>>>> Hence the client_id parameter to make this lookup possible and<br>
>>>>>>> efficient.<br>
>>>>>>> <br>
>>>>>>> Further processing may be defined such as if both client_id and<br>
>>>>>>> id_token_hint are provided the audience of the id_token_hint must<br>
>>>>>>> include the client_id etc.<br>
>>>>>>> <br>
>>>>>> <br>
>>>>>> <br>
>>>>>> -------------- next part --------------<br>
>>>>>> A non-text attachment was scrubbed...<br>
>>>>>> Name: smime.p7s<br>
>>>>>> Type: application/pkcs7-signature<br>
>>>>>> Size: 4002 bytes<br>
>>>>>> Desc: S/MIME Cryptographic Signature<br>
>>>>>> URL:<br>
>>>>>> <<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_pipermail_openid-2Dspecs-2Dab_attachments_20180720_00f40e94_attachment-2D0001.p7s&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=eTHo7f8tNiakUT3d8PkF8AQgSq44lpjr4_2Y7S8skp4&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_pipermail_openid-2Dspecs-2Dab_attachments_20180720_00f40e94_attachment-2D0001.p7s&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=eTHo7f8tNiakUT3d8PkF8AQgSq44lpjr4_2Y7S8skp4&e=</a>><br>
>>>>>> <br>
>>>>>> ------------------------------<br>
>>>>>> <br>
>>>>>> Message: 4<br>
>>>>>> Date: Fri, 20 Jul 2018 13:16:52 +0200<br>
>>>>>> From: Filip Skokan <<a href="mailto:panva.ip@gmail.com" target="_blank">panva.ip@gmail.com</a>><br>
>>>>>> To: Vladimir Dzhuvinov <<a href="mailto:vladimir@connect2id.com" target="_blank">vladimir@connect2id.com</a>><br>
>>>>>> Cc: "<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a> Ab"<br>
>>>>>> <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>><br>
>>>>>> Subject: Re: [Openid-specs-ab] Issue #1032: rp-initiated logout -<br>
>>>>>> proposal for client_id parameter (openid/connect)<br>
>>>>>> Message-ID:<br>
>>>>>> <br>
>>>>>> <<a href="mailto:CALAqi_8w2uvCd9R39YQpL-QxT7srCTvgpQvqkGXnrfo80owEFw@mail.gmail.com" target="_blank">CALAqi_8w2uvCd9R39YQpL-QxT7srCTvgpQvqkGXnrfo80owEFw@mail.gmail.com</a>><br>
>>>>>> Content-Type: text/plain; charset="utf-8"<br>
>>>>>> <br>
>>>>>> Hello Vladimir,<br>
>>>>>> <br>
>>>>>> The OP is advised to render a prompt for the end-user in those <br>
>>>>>> cases<br>
>>>>>> where<br>
>>>>>> post_logout_redirect_uri is not provided. And there's no mention <br>
>>>>>> of<br>
>>>>>> ignoring the post_logout_redirect_uri param if id_token_hint is<br>
>>>>>> missing.<br>
>>>>>> <br>
>>>>>> Currently:<br>
>>>>>> <br>
>>>>>>> post_logout_redirect_uri<br>
>>>>>>> OPTIONAL. URL to which the RP is requesting that the End-User's <br>
>>>>>>> User<br>
>>>>>>> Agent<br>
>>>>>>> be redirected after a logout has been performed. The value MUST <br>
>>>>>>> have<br>
>>>>>>> been<br>
>>>>>>> previously registered with the OP, either using the<br>
>>>>>>> post_logout_redirect_uris Registration parameter or via another<br>
>>>>>>> mechanism.<br>
>>>>>>> If supplied, the OP SHOULD honor this request following the <br>
>>>>>>> logout.<br>
>>>>>> <br>
>>>>>> <br>
>>>>>> No mention of ignoring the value if id_token_hint is not provided.<br>
>>>>>> <br>
>>>>>> and under security considerations, the advise to prompt.<br>
>>>>>> <br>
>>>>>> The id_token_hint parameter to a logout request can be used to<br>
>>>>>> determine<br>
>>>>>>> which RP initiated the logout request. Logout requests without a <br>
>>>>>>> valid<br>
>>>>>>> id_token_hint value are a potential means of denial of service;<br>
>>>>>>> therefore,<br>
>>>>>>> OPs may want to require explicit user confirmation before acting <br>
>>>>>>> upon<br>
>>>>>>> them.<br>
>>>>>> <br>
>>>>>> <br>
>>>>>> Supplying a client_id does not change a potential extra OP policy <br>
>>>>>> that<br>
>>>>>> id_token_hint must be provided if it choses to do so, it simply <br>
>>>>>> makes<br>
>>>>>> post_logout_redirect_uri lookup possible in cases where loading <br>
>>>>>> all<br>
>>>>>> uris or<br>
>>>>>> clients into memory is not possible/is inefficient or can't query <br>
>>>>>> for<br>
>>>>>> all<br>
>>>>>> valid uris for the same reasons.<br>
>>>>>> <br>
>>>>>> Best,<br>
>>>>>> *Filip*<br>
>>>>>> <br>
>>>>>> <br>
>>>>>> On Fri, Jul 20, 2018 at 1:01 PM Vladimir Dzhuvinov via <br>
>>>>>> Openid-specs-ab<br>
>>>>>> <<br>
>>>>>> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br>
>>>>>> <br>
>>>>>>> Hi Filip,<br>
>>>>>>> <br>
>>>>>>> My concern is that relying on the client_id opens up post logout<br>
>>>>>>> redirection to potential misuse.<br>
>>>>>>> <br>
>>>>>>> IMO the OP shouldn't be picking any redirections if cannot be <br>
>>>>>>> sure, to<br>
>>>>>>> a<br>
>>>>>>> satisfactory degree, that it's the legitimate RP making the call.<br>
>>>>>>> <br>
>>>>>>> The ID token isn't really a substitute for proper RP <br>
>>>>>>> authentication,<br>
>>>>>>> but<br>
>>>>>>> it's some way towards that.<br>
>>>>>>> <br>
>>>>>>> A JWS request might help here, but it's probably too much to ask <br>
>>>>>>> from<br>
>>>>>>> RPs.<br>
>>>>>>> <br>
>>>>>>> Vladimir<br>
>>>>>>> <br>
>>>>>>> <br>
>>>>>>>> On 20/07/18 11:10, Filip Skokan via Openid-specs-ab wrote:<br>
>>>>>>>> New issue 1032: rp-initiated logout - proposal for client_id <br>
>>>>>>>> parameter<br>
>>>>>>>> <br>
>>>>>>> <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_connect_issues_1032_rp-2Dinitiated-2Dlogout-2Dproposal-2Dfor-2Dclient-5Fid&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=XPovg09GXpcxWGyelD8zKNCUzJP71dmPh3bNGNK7k5w&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_connect_issues_1032_rp-2Dinitiated-2Dlogout-2Dproposal-2Dfor-2Dclient-5Fid&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=XPovg09GXpcxWGyelD8zKNCUzJP71dmPh3bNGNK7k5w&e=</a><br>
>>>>>>>> <br>
>>>>>>>> Filip Skokan:<br>
>>>>>>>> <br>
>>>>>>>> I'd like to request that a parameter (optional or required?) <br>
>>>>>>>> client_id<br>
>>>>>>> is defined for rp-initiated logout request.<br>
>>>>>>>> <br>
>>>>>>>> rationale:<br>
>>>>>>>> <br>
>>>>>>>> Currently the id_token_hint is the only way of identifying the <br>
>>>>>>>> client<br>
>>>>>>> that's making the request. In scenarios where a client does not <br>
>>>>>>> yet<br>
>>>>>>> have an<br>
>>>>>>> id_token but makes a request to authenticate which fails (e.g. <br>
>>>>>>> due to<br>
>>>>>>> being<br>
>>>>>>> requested with essential sub claim through claims) the next step <br>
>>>>>>> will<br>
>>>>>>> be to<br>
>>>>>>> trigger an rp initiated logout with a registered<br>
>>>>>>> post_logout_redirect_uri<br>
>>>>>>> but without an id_token_hint. This can be problematic for OP<br>
>>>>>>> deployments<br>
>>>>>>> with a high number of clients as it is not efficient or sometimes <br>
>>>>>>> even<br>
>>>>>>> not<br>
>>>>>>> possible to iterate over all of them to see if this<br>
>>>>>>> post_logout_redirect_uri is whitelisted or not. Hence the <br>
>>>>>>> client_id<br>
>>>>>>> parameter to make this lookup possible and efficient.<br>
>>>>>>>> <br>
>>>>>>>> Further processing may be defined such as if both client_id and<br>
>>>>>>> id_token_hint are provided the audience of the id_token_hint must<br>
>>>>>>> include<br>
>>>>>>> the client_id etc.<br>
>>>>>>>> <br>
>>>>>>> <br>
>>>>>>> <br>
>>>>>>> _______________________________________________<br>
>>>>>>> Openid-specs-ab mailing list<br>
>>>>>>> <a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
>>>>>>> <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=vqMu4wpIOPufViYMGvzTtZtsynYxmLnmUHJCL88jWLY&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=vqMu4wpIOPufViYMGvzTtZtsynYxmLnmUHJCL88jWLY&e=</a><br>
>>>>>>> <br>
>>>>>> -------------- next part --------------<br>
>>>>>> An HTML attachment was scrubbed...<br>
>>>>>> URL:<br>
>>>>>> <<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_pipermail_openid-2Dspecs-2Dab_attachments_20180720_43cba25d_attachment.html&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=KmCCQjnkztIL-CzFEhohJrsvdGwCZtWRDGDfwFTOOTs&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_pipermail_openid-2Dspecs-2Dab_attachments_20180720_43cba25d_attachment.html&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=KmCCQjnkztIL-CzFEhohJrsvdGwCZtWRDGDfwFTOOTs&e=</a>><br>
>>>>>> <br>
>>>>>> ------------------------------<br>
>>>>>> <br>
>>>>>> Subject: Digest Footer<br>
>>>>>> <br>
>>>>>> _______________________________________________<br>
>>>>>> Openid-specs-ab mailing list<br>
>>>>>> <a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
>>>>>> <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=vqMu4wpIOPufViYMGvzTtZtsynYxmLnmUHJCL88jWLY&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=vqMu4wpIOPufViYMGvzTtZtsynYxmLnmUHJCL88jWLY&e=</a><br>
>>>>>> <br>
>>>>>> <br>
>>>>>> ------------------------------<br>
>>>>>> <br>
>>>>>> End of Openid-specs-ab Digest, Vol 390, Issue 9<br>
>>>>>> ***********************************************<br>
>>>>> _______________________________________________<br>
>>>>> Openid-specs-ab mailing list<br>
>>>>> <a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
>>>>> <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=vqMu4wpIOPufViYMGvzTtZtsynYxmLnmUHJCL88jWLY&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=vqMu4wpIOPufViYMGvzTtZtsynYxmLnmUHJCL88jWLY&e=</a><br>
>>>>> <br>
>>>> <br>
>>> _______________________________________________<br>
>>> Openid-specs-ab mailing list<br>
>>> <a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
>>> <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=vqMu4wpIOPufViYMGvzTtZtsynYxmLnmUHJCL88jWLY&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=vqMu4wpIOPufViYMGvzTtZtsynYxmLnmUHJCL88jWLY&e=</a><br>
> <br>
> <br>
> <br>
> ------------------------------<br>
> <br>
> Message: 2<br>
> Date: Fri, 20 Jul 2018 15:19:28 +0000<br>
> From: Nick Roy <<a href="mailto:nroy@internet2.edu" target="_blank">nroy@internet2.edu</a>><br>
> To: Phil Hunt <<a href="mailto:phil.hunt@oracle.com" target="_blank">phil.hunt@oracle.com</a>><br>
> Cc: "<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>"<br>
> <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>><br>
> Subject: Re: [Openid-specs-ab] Please Either ABSTAIN or OBJECT from<br>
> the Federation Spec Vote<br>
> Message-ID:<br>
> <<a href="mailto:CY4PR08MB3544B2C3C1D544E44322D7E583510@CY4PR08MB3544.namprd08.prod.outlook.com" target="_blank">CY4PR08MB3544B2C3C1D544E44322D7E583510@CY4PR08MB3544.namprd08.prod.outlook.com</a>><br>
> <br>
> Content-Type: text/plain; charset="us-ascii"<br>
> <br>
> As shown by both my and Phil's accidental replies off-list, there also<br>
> seems to be a list configuration issue which sets the reply-to address<br>
> as the address of the poster, rather than the address of the list.<br>
> <br>
> Nick<br>
> <br>
> On 7/20/18 9:17 AM, Phil Hunt wrote:<br>
>> <br>
>> <br>
>> Phil<br>
>> <br>
>>> On Jul 20, 2018, at 8:16 AM, Phil Hunt <<a href="mailto:phil.hunt@oracle.com" target="_blank">phil.hunt@oracle.com</a>> wrote:<br>
>>> <br>
>>> I agree with Nick. The correct process (as i sort of understand it) <br>
>>> and discussion was followed.<br>
>>> <br>
>>> That said I have complained many times because of issues like this <br>
>>> that the WG processes are not published and wg consensus is almost <br>
>>> never called.<br>
>>> <br>
>>> There is too much rush to implementation without a last call.<br>
>>> <br>
>>> This is a serious problem the board must resolve.<br>
>>> <br>
>>> Phil<br>
>>> <br>
>>>> On Jul 20, 2018, at 7:34 AM, Nick Roy via Openid-specs-ab <br>
>>>> <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br>
>>>> <br>
>>>> This time to the list...<br>
>>>> <br>
>>>>> On Jul 20, 2018, at 8:30 AM, Nick Roy <<a href="mailto:nroy@internet2.edu" target="_blank">nroy@internet2.edu</a>> wrote:<br>
>>>>> <br>
>>>>> Mike, I personally provided feedback to Roland which he <br>
>>>>> incorporated<br>
>>>>> into an updated draft over a year ago. The spec has been available <br>
>>>>> in<br>
>>>>> draft form in github for something like two years.<br>
>>>>> <br>
>>>>> Nick<br>
>>>>> <br>
>>>>> On 7/20/18 8:16 AM, Mike Schwartz via Openid-specs-ab wrote:<br>
>>>>>>> And there's nothing that prevents that, just like there is <br>
>>>>>>> nothing that<br>
>>>>>>> prevented me from working on HEART if I wanted to.<br>
>>>>>>> <br>
>>>>>>> Nick<br>
>>>>>> <br>
>>>>>> Actually, you're wrong. And I'm pretty active in the OpenID <br>
>>>>>> Connect<br>
>>>>>> community... I don't think anyone would say otherwise.<br>
>>>>>> <br>
>>>>>> None of the design decisions on this spec were put to any kind of <br>
>>>>>> vote.<br>
>>>>>> And as I pointed out previously, discussion was limited. It was a <br>
>>>>>> take<br>
>>>>>> it or leave it design. Being presented at a conference is not the <br>
>>>>>> same<br>
>>>>>> as getting a say in the process.<br>
>>>>>> <br>
>>>>>> It was a closed process, where Jones/Hedburg might or might take <br>
>>>>>> your<br>
>>>>>> suggestions, depending on their whim. It has the veneer of <br>
>>>>>> openness, but<br>
>>>>>> it's not actually open. It's a one party vote, take it or leave <br>
>>>>>> it.<br>
>>>>>> <br>
>>>>>> I can't start a spec and call it the "Connect AB Alternate <br>
>>>>>> Federation<br>
>>>>>> Spec" and have it published here <br>
>>>>>> <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_connect_&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=jglkfzh43veJDEsRH8sokGmpsmrh2afbdzoPw7Z-XH0&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_connect_&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=jglkfzh43veJDEsRH8sokGmpsmrh2afbdzoPw7Z-XH0&e=</a> <br>
>>>>>> So this<br>
>>>>>> spec was given VERY special treatment, placement and promotion.<br>
>>>>>> <br>
>>>>>> Let's not call this an open process when it's not.<br>
>>>>>> <br>
>>>>>> - Mike<br>
>>>>>> <br>
>>>>>> <br>
>>>>>> <br>
>>>>>> ------------------------<br>
>>>>>> Michael Schwartz<br>
>>>>>> Gluu<br>
>>>>>> Founder / CEO<br>
>>>>>> <a href="mailto:mike@gluu.org" target="_blank">mike@gluu.org</a><br>
>>>>>> <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_in_nynymike_&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=hpgFrnPt9eP5DCbWWSkhzDGGgkCLxqsYB5OxNoFp674&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_in_nynymike_&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=hpgFrnPt9eP5DCbWWSkhzDGGgkCLxqsYB5OxNoFp674&e=</a><br>
>>>>>> <br>
>>>>>>> On 2018-07-20 06:17, <a href="mailto:openid-specs-ab-request@lists.openid.net" target="_blank">openid-specs-ab-request@lists.openid.net</a> <br>
>>>>>>> wrote:<br>
>>>>>>> Send Openid-specs-ab mailing list submissions to<br>
>>>>>>> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br>
>>>>>>> <br>
>>>>>>> To subscribe or unsubscribe via the World Wide Web, visit<br>
>>>>>>> <br>
>>>>>>> <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=vqMu4wpIOPufViYMGvzTtZtsynYxmLnmUHJCL88jWLY&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=vqMu4wpIOPufViYMGvzTtZtsynYxmLnmUHJCL88jWLY&e=</a><br>
>>>>>>> or, via email, send a message with subject or body 'help' to<br>
>>>>>>> <a href="mailto:openid-specs-ab-request@lists.openid.net" target="_blank">openid-specs-ab-request@lists.openid.net</a><br>
>>>>>>> <br>
>>>>>>> You can reach the person managing the list at<br>
>>>>>>> <a href="mailto:openid-specs-ab-owner@lists.openid.net" target="_blank">openid-specs-ab-owner@lists.openid.net</a><br>
>>>>>>> <br>
>>>>>>> When replying, please edit your Subject line so it is more <br>
>>>>>>> specific<br>
>>>>>>> than "Re: Contents of Openid-specs-ab digest..."<br>
>>>>>>> <br>
>>>>>>> <br>
>>>>>>> Today's Topics:<br>
>>>>>>> <br>
>>>>>>> 1. Re: Please Either ABSTAIN or OBJECT from the Federation Spec<br>
>>>>>>> Vote (Nick Roy)<br>
>>>>>>> 2. Issue #1032: rp-initiated logout - proposal for client_id<br>
>>>>>>> parameter (openid/connect) (Filip Skokan)<br>
>>>>>>> 3. Re: Issue #1032: rp-initiated logout - proposal for client_id<br>
>>>>>>> parameter (openid/connect) (Vladimir Dzhuvinov)<br>
>>>>>>> 4. Re: Issue #1032: rp-initiated logout - proposal for client_id<br>
>>>>>>> parameter (openid/connect) (Filip Skokan)<br>
>>>>>>> <br>
>>>>>>> <br>
>>>>>>> ----------------------------------------------------------------------<br>
>>>>>>> <br>
>>>>>>> Message: 1<br>
>>>>>>> Date: Thu, 19 Jul 2018 18:05:45 +0000<br>
>>>>>>> From: Nick Roy <<a href="mailto:nroy@internet2.edu" target="_blank">nroy@internet2.edu</a>><br>
>>>>>>> To: "<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>"<br>
>>>>>>> <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>><br>
>>>>>>> Subject: Re: [Openid-specs-ab] Please Either ABSTAIN or OBJECT <br>
>>>>>>> from<br>
>>>>>>> the Federation Spec Vote<br>
>>>>>>> Message-ID:<br>
>>>>>>> <br>
>>>>>>> <<a href="mailto:CY4PR08MB35449C06D30AE97F5188DDFA83520@CY4PR08MB3544.namprd08.prod.outlook.com" target="_blank">CY4PR08MB35449C06D30AE97F5188DDFA83520@CY4PR08MB3544.namprd08.prod.outlook.com</a>><br>
>>>>>>> <br>
>>>>>>> Content-Type: text/plain; charset="us-ascii"<br>
>>>>>>> <br>
>>>>>>> And there's nothing that prevents that, just like there is <br>
>>>>>>> nothing that<br>
>>>>>>> prevented me from working on HEART if I wanted to.<br>
>>>>>>> <br>
>>>>>>> Nick<br>
>>>>>>> <br>
>>>>>>>> On 7/19/18 10:43 AM, Mike Schwartz via Openid-specs-ab wrote:<br>
>>>>>>>> Nick,<br>
>>>>>>>> <br>
>>>>>>>> I thought you had a good idea to move federation to its own WG.<br>
>>>>>>>> <br>
>>>>>>>> So of course, I'm all for OpenID federations. And I'm also <br>
>>>>>>>> really<br>
>>>>>>>> interested in this proposed design. And I appreciate the work <br>
>>>>>>>> done by<br>
>>>>>>>> the current editors. It might be the best way. But I was never <br>
>>>>>>>> given a<br>
>>>>>>>> choice of A or B. I was just given a choice to approve A.<br>
>>>>>>>> <br>
>>>>>>>> I think the community should get a say in this design of this <br>
>>>>>>>> spec.<br>
>>>>>>>> <br>
>>>>>>>> - Mike<br>
>>>>>>>> <br>
>>>>>>>> <br>
>>>>>>>> <br>
>>>>>>>>> it sounds like you aren't interested in working in an R&E <br>
>>>>>>>>> working<br>
>>>>>>>>> group.<br>
>>>>>>>>> My understanding is that this WG will pursue R&E use cases for <br>
>>>>>>>>> this<br>
>>>>>>>>> profile. Since R&E is one of the largest users of multilateral <br>
>>>>>>>>> SAML<br>
>>>>>>>>> federation, I think exploring use of the OIDC Federation work <br>
>>>>>>>>> in that<br>
>>>>>>>>> space is a great next step.<br>
>>>>>>>>> <br>
>>>>>>>>> Nick<br>
>>>>>>>>> <br>
>>>>>>>> _______________________________________________<br>
>>>>>>>> Openid-specs-ab mailing list<br>
>>>>>>>> <a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
>>>>>>>> <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=vqMu4wpIOPufViYMGvzTtZtsynYxmLnmUHJCL88jWLY&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=vqMu4wpIOPufViYMGvzTtZtsynYxmLnmUHJCL88jWLY&e=</a><br>
>>>>>>>> <br>
>>>>>>> <br>
>>>>>>> <br>
>>>>>>> ------------------------------<br>
>>>>>>> <br>
>>>>>>> Message: 2<br>
>>>>>>> Date: Fri, 20 Jul 2018 08:10:50 +0000 (UTC)<br>
>>>>>>> From: "Filip Skokan" <<a href="mailto:issues-reply@bitbucket.org" target="_blank">issues-reply@bitbucket.org</a>><br>
>>>>>>> To: <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br>
>>>>>>> Subject: [Openid-specs-ab] Issue #1032: rp-initiated logout - <br>
>>>>>>> proposal<br>
>>>>>>> for client_id parameter (openid/connect)<br>
>>>>>>> Message-ID:<br>
>>>>>>> <<a href="mailto:20180720081050.39616.17365@celery-worker-105.ash1.bb-inf.net" target="_blank">20180720081050.39616.17365@celery-worker-105.ash1.bb-inf.net</a>><br>
>>>>>>> Content-Type: text/plain; charset="utf-8"<br>
>>>>>>> <br>
>>>>>>> New issue 1032: rp-initiated logout - proposal for client_id <br>
>>>>>>> parameter<br>
>>>>>>> <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_connect_issues_1032_rp-2Dinitiated-2Dlogout-2Dproposal-2Dfor-2Dclient-5Fid&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=XPovg09GXpcxWGyelD8zKNCUzJP71dmPh3bNGNK7k5w&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_connect_issues_1032_rp-2Dinitiated-2Dlogout-2Dproposal-2Dfor-2Dclient-5Fid&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=XPovg09GXpcxWGyelD8zKNCUzJP71dmPh3bNGNK7k5w&e=</a><br>
>>>>>>> <br>
>>>>>>> Filip Skokan:<br>
>>>>>>> <br>
>>>>>>> I'd like to request that a parameter (optional or required?) <br>
>>>>>>> client_id<br>
>>>>>>> is defined for rp-initiated logout request.<br>
>>>>>>> <br>
>>>>>>> rationale:<br>
>>>>>>> <br>
>>>>>>> Currently the id_token_hint is the only way of identifying the <br>
>>>>>>> client<br>
>>>>>>> that's making the request. In scenarios where a client does not <br>
>>>>>>> yet<br>
>>>>>>> have an id_token but makes a request to authenticate which fails <br>
>>>>>>> (e.g.<br>
>>>>>>> due to being requested with essential sub claim through claims) <br>
>>>>>>> the<br>
>>>>>>> next step will be to trigger an rp initiated logout with a <br>
>>>>>>> registered<br>
>>>>>>> post_logout_redirect_uri but without an id_token_hint. This can <br>
>>>>>>> be<br>
>>>>>>> problematic for OP deployments with a high number of clients as <br>
>>>>>>> it is<br>
>>>>>>> not efficient or sometimes even not possible to iterate over all <br>
>>>>>>> of<br>
>>>>>>> them to see if this post_logout_redirect_uri is whitelisted or <br>
>>>>>>> not.<br>
>>>>>>> Hence the client_id parameter to make this lookup possible and<br>
>>>>>>> efficient.<br>
>>>>>>> <br>
>>>>>>> Further processing may be defined such as if both client_id and<br>
>>>>>>> id_token_hint are provided the audience of the id_token_hint must<br>
>>>>>>> include the client_id etc.<br>
>>>>>>> <br>
>>>>>>> <br>
>>>>>>> <br>
>>>>>>> <br>
>>>>>>> ------------------------------<br>
>>>>>>> <br>
>>>>>>> Message: 3<br>
>>>>>>> Date: Fri, 20 Jul 2018 14:01:29 +0300<br>
>>>>>>> From: Vladimir Dzhuvinov <<a href="mailto:vladimir@connect2id.com" target="_blank">vladimir@connect2id.com</a>><br>
>>>>>>> To: <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br>
>>>>>>> Subject: Re: [Openid-specs-ab] Issue #1032: rp-initiated logout -<br>
>>>>>>> proposal for client_id parameter (openid/connect)<br>
>>>>>>> Message-ID: <<a href="mailto:14898981-27c9-8a85-91c8-77c93a931278@connect2id.com" target="_blank">14898981-27c9-8a85-91c8-77c93a931278@connect2id.com</a>><br>
>>>>>>> Content-Type: text/plain; charset="utf-8"<br>
>>>>>>> <br>
>>>>>>> Hi Filip,<br>
>>>>>>> <br>
>>>>>>> My concern is that relying on the client_id opens up post logout<br>
>>>>>>> redirection to potential misuse.<br>
>>>>>>> <br>
>>>>>>> IMO the OP shouldn't be picking any redirections if cannot be <br>
>>>>>>> sure, to<br>
>>>>>>> a<br>
>>>>>>> satisfactory degree, that it's the legitimate RP making the call.<br>
>>>>>>> <br>
>>>>>>> The ID token isn't really a substitute for proper RP <br>
>>>>>>> authentication,<br>
>>>>>>> but<br>
>>>>>>> it's some way towards that.<br>
>>>>>>> <br>
>>>>>>> A JWS request might help here, but it's probably too much to ask <br>
>>>>>>> from<br>
>>>>>>> RPs.<br>
>>>>>>> <br>
>>>>>>> Vladimir<br>
>>>>>>> <br>
>>>>>>> <br>
>>>>>>>> On 20/07/18 11:10, Filip Skokan via Openid-specs-ab wrote:<br>
>>>>>>>> New issue 1032: rp-initiated logout - proposal for client_id <br>
>>>>>>>> parameter<br>
>>>>>>>> <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_connect_issues_1032_rp-2Dinitiated-2Dlogout-2Dproposal-2Dfor-2Dclient-5Fid&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=XPovg09GXpcxWGyelD8zKNCUzJP71dmPh3bNGNK7k5w&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_connect_issues_1032_rp-2Dinitiated-2Dlogout-2Dproposal-2Dfor-2Dclient-5Fid&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=XPovg09GXpcxWGyelD8zKNCUzJP71dmPh3bNGNK7k5w&e=</a><br>
>>>>>>>> <br>
>>>>>>>> Filip Skokan:<br>
>>>>>>>> <br>
>>>>>>>> I'd like to request that a parameter (optional or required?) <br>
>>>>>>>> client_id<br>
>>>>>>>> is defined for rp-initiated logout request.<br>
>>>>>>>> <br>
>>>>>>>> rationale:<br>
>>>>>>>> <br>
>>>>>>>> Currently the id_token_hint is the only way of identifying the <br>
>>>>>>>> client<br>
>>>>>>>> that's making the request. In scenarios where a client does not <br>
>>>>>>>> yet<br>
>>>>>>>> have an id_token but makes a request to authenticate which fails <br>
>>>>>>>> (e.g.<br>
>>>>>>>> due to being requested with essential sub claim through claims) <br>
>>>>>>>> the<br>
>>>>>>>> next step will be to trigger an rp initiated logout with a <br>
>>>>>>>> registered<br>
>>>>>>>> post_logout_redirect_uri but without an id_token_hint. This can <br>
>>>>>>>> be<br>
>>>>>>>> problematic for OP deployments with a high number of clients as <br>
>>>>>>>> it is<br>
>>>>>>>> not efficient or sometimes even not possible to iterate over all <br>
>>>>>>>> of<br>
>>>>>>>> them to see if this post_logout_redirect_uri is whitelisted or <br>
>>>>>>>> not.<br>
>>>>>>>> Hence the client_id parameter to make this lookup possible and<br>
>>>>>>>> efficient.<br>
>>>>>>>> <br>
>>>>>>>> Further processing may be defined such as if both client_id and<br>
>>>>>>>> id_token_hint are provided the audience of the id_token_hint <br>
>>>>>>>> must<br>
>>>>>>>> include the client_id etc.<br>
>>>>>>>> <br>
>>>>>>> <br>
>>>>>>> <br>
>>>>>>> -------------- next part --------------<br>
>>>>>>> A non-text attachment was scrubbed...<br>
>>>>>>> Name: smime.p7s<br>
>>>>>>> Type: application/pkcs7-signature<br>
>>>>>>> Size: 4002 bytes<br>
>>>>>>> Desc: S/MIME Cryptographic Signature<br>
>>>>>>> URL:<br>
>>>>>>> <<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_pipermail_openid-2Dspecs-2Dab_attachments_20180720_00f40e94_attachment-2D0001.p7s&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=eTHo7f8tNiakUT3d8PkF8AQgSq44lpjr4_2Y7S8skp4&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_pipermail_openid-2Dspecs-2Dab_attachments_20180720_00f40e94_attachment-2D0001.p7s&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=eTHo7f8tNiakUT3d8PkF8AQgSq44lpjr4_2Y7S8skp4&e=</a>><br>
>>>>>>> <br>
>>>>>>> ------------------------------<br>
>>>>>>> <br>
>>>>>>> Message: 4<br>
>>>>>>> Date: Fri, 20 Jul 2018 13:16:52 +0200<br>
>>>>>>> From: Filip Skokan <<a href="mailto:panva.ip@gmail.com" target="_blank">panva.ip@gmail.com</a>><br>
>>>>>>> To: Vladimir Dzhuvinov <<a href="mailto:vladimir@connect2id.com" target="_blank">vladimir@connect2id.com</a>><br>
>>>>>>> Cc: "<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a> Ab"<br>
>>>>>>> <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>><br>
>>>>>>> Subject: Re: [Openid-specs-ab] Issue #1032: rp-initiated logout -<br>
>>>>>>> proposal for client_id parameter (openid/connect)<br>
>>>>>>> Message-ID:<br>
>>>>>>> <br>
>>>>>>> <<a href="mailto:CALAqi_8w2uvCd9R39YQpL-QxT7srCTvgpQvqkGXnrfo80owEFw@mail.gmail.com" target="_blank">CALAqi_8w2uvCd9R39YQpL-QxT7srCTvgpQvqkGXnrfo80owEFw@mail.gmail.com</a>><br>
>>>>>>> Content-Type: text/plain; charset="utf-8"<br>
>>>>>>> <br>
>>>>>>> Hello Vladimir,<br>
>>>>>>> <br>
>>>>>>> The OP is advised to render a prompt for the end-user in those <br>
>>>>>>> cases<br>
>>>>>>> where<br>
>>>>>>> post_logout_redirect_uri is not provided. And there's no mention <br>
>>>>>>> of<br>
>>>>>>> ignoring the post_logout_redirect_uri param if id_token_hint is<br>
>>>>>>> missing.<br>
>>>>>>> <br>
>>>>>>> Currently:<br>
>>>>>>> <br>
>>>>>>>> post_logout_redirect_uri<br>
>>>>>>>> OPTIONAL. URL to which the RP is requesting that the End-User's <br>
>>>>>>>> User<br>
>>>>>>>> Agent<br>
>>>>>>>> be redirected after a logout has been performed. The value MUST <br>
>>>>>>>> have<br>
>>>>>>>> been<br>
>>>>>>>> previously registered with the OP, either using the<br>
>>>>>>>> post_logout_redirect_uris Registration parameter or via another<br>
>>>>>>>> mechanism.<br>
>>>>>>>> If supplied, the OP SHOULD honor this request following the <br>
>>>>>>>> logout.<br>
>>>>>>> <br>
>>>>>>> <br>
>>>>>>> No mention of ignoring the value if id_token_hint is not <br>
>>>>>>> provided.<br>
>>>>>>> <br>
>>>>>>> and under security considerations, the advise to prompt.<br>
>>>>>>> <br>
>>>>>>> The id_token_hint parameter to a logout request can be used to<br>
>>>>>>> determine<br>
>>>>>>>> which RP initiated the logout request. Logout requests without a <br>
>>>>>>>> valid<br>
>>>>>>>> id_token_hint value are a potential means of denial of service;<br>
>>>>>>>> therefore,<br>
>>>>>>>> OPs may want to require explicit user confirmation before acting <br>
>>>>>>>> upon<br>
>>>>>>>> them.<br>
>>>>>>> <br>
>>>>>>> <br>
>>>>>>> Supplying a client_id does not change a potential extra OP policy <br>
>>>>>>> that<br>
>>>>>>> id_token_hint must be provided if it choses to do so, it simply <br>
>>>>>>> makes<br>
>>>>>>> post_logout_redirect_uri lookup possible in cases where loading <br>
>>>>>>> all<br>
>>>>>>> uris or<br>
>>>>>>> clients into memory is not possible/is inefficient or can't query <br>
>>>>>>> for<br>
>>>>>>> all<br>
>>>>>>> valid uris for the same reasons.<br>
>>>>>>> <br>
>>>>>>> Best,<br>
>>>>>>> *Filip*<br>
>>>>>>> <br>
>>>>>>> <br>
>>>>>>> On Fri, Jul 20, 2018 at 1:01 PM Vladimir Dzhuvinov via <br>
>>>>>>> Openid-specs-ab<br>
>>>>>>> <<br>
>>>>>>> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br>
>>>>>>> <br>
>>>>>>>> Hi Filip,<br>
>>>>>>>> <br>
>>>>>>>> My concern is that relying on the client_id opens up post logout<br>
>>>>>>>> redirection to potential misuse.<br>
>>>>>>>> <br>
>>>>>>>> IMO the OP shouldn't be picking any redirections if cannot be <br>
>>>>>>>> sure, to<br>
>>>>>>>> a<br>
>>>>>>>> satisfactory degree, that it's the legitimate RP making the <br>
>>>>>>>> call.<br>
>>>>>>>> <br>
>>>>>>>> The ID token isn't really a substitute for proper RP <br>
>>>>>>>> authentication,<br>
>>>>>>>> but<br>
>>>>>>>> it's some way towards that.<br>
>>>>>>>> <br>
>>>>>>>> A JWS request might help here, but it's probably too much to ask <br>
>>>>>>>> from<br>
>>>>>>>> RPs.<br>
>>>>>>>> <br>
>>>>>>>> Vladimir<br>
>>>>>>>> <br>
>>>>>>>> <br>
>>>>>>>>> On 20/07/18 11:10, Filip Skokan via Openid-specs-ab wrote:<br>
>>>>>>>>> New issue 1032: rp-initiated logout - proposal for client_id <br>
>>>>>>>>> parameter<br>
>>>>>>>>> <br>
>>>>>>>> <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_connect_issues_1032_rp-2Dinitiated-2Dlogout-2Dproposal-2Dfor-2Dclient-5Fid&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=XPovg09GXpcxWGyelD8zKNCUzJP71dmPh3bNGNK7k5w&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_connect_issues_1032_rp-2Dinitiated-2Dlogout-2Dproposal-2Dfor-2Dclient-5Fid&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=XPovg09GXpcxWGyelD8zKNCUzJP71dmPh3bNGNK7k5w&e=</a><br>
>>>>>>>>> <br>
>>>>>>>>> Filip Skokan:<br>
>>>>>>>>> <br>
>>>>>>>>> I'd like to request that a parameter (optional or required?) <br>
>>>>>>>>> client_id<br>
>>>>>>>> is defined for rp-initiated logout request.<br>
>>>>>>>>> <br>
>>>>>>>>> rationale:<br>
>>>>>>>>> <br>
>>>>>>>>> Currently the id_token_hint is the only way of identifying the <br>
>>>>>>>>> client<br>
>>>>>>>> that's making the request. In scenarios where a client does not <br>
>>>>>>>> yet<br>
>>>>>>>> have an<br>
>>>>>>>> id_token but makes a request to authenticate which fails (e.g. <br>
>>>>>>>> due to<br>
>>>>>>>> being<br>
>>>>>>>> requested with essential sub claim through claims) the next step <br>
>>>>>>>> will<br>
>>>>>>>> be to<br>
>>>>>>>> trigger an rp initiated logout with a registered<br>
>>>>>>>> post_logout_redirect_uri<br>
>>>>>>>> but without an id_token_hint. This can be problematic for OP<br>
>>>>>>>> deployments<br>
>>>>>>>> with a high number of clients as it is not efficient or <br>
>>>>>>>> sometimes even<br>
>>>>>>>> not<br>
>>>>>>>> possible to iterate over all of them to see if this<br>
>>>>>>>> post_logout_redirect_uri is whitelisted or not. Hence the <br>
>>>>>>>> client_id<br>
>>>>>>>> parameter to make this lookup possible and efficient.<br>
>>>>>>>>> <br>
>>>>>>>>> Further processing may be defined such as if both client_id and<br>
>>>>>>>> id_token_hint are provided the audience of the id_token_hint <br>
>>>>>>>> must<br>
>>>>>>>> include<br>
>>>>>>>> the client_id etc.<br>
>>>>>>>>> <br>
>>>>>>>> <br>
>>>>>>>> <br>
>>>>>>>> _______________________________________________<br>
>>>>>>>> Openid-specs-ab mailing list<br>
>>>>>>>> <a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
>>>>>>>> <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=vqMu4wpIOPufViYMGvzTtZtsynYxmLnmUHJCL88jWLY&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=vqMu4wpIOPufViYMGvzTtZtsynYxmLnmUHJCL88jWLY&e=</a><br>
>>>>>>>> <br>
>>>>>>> -------------- next part --------------<br>
>>>>>>> An HTML attachment was scrubbed...<br>
>>>>>>> URL:<br>
>>>>>>> <<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_pipermail_openid-2Dspecs-2Dab_attachments_20180720_43cba25d_attachment.html&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=KmCCQjnkztIL-CzFEhohJrsvdGwCZtWRDGDfwFTOOTs&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_pipermail_openid-2Dspecs-2Dab_attachments_20180720_43cba25d_attachment.html&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=KmCCQjnkztIL-CzFEhohJrsvdGwCZtWRDGDfwFTOOTs&e=</a>><br>
>>>>>>> <br>
>>>>>>> ------------------------------<br>
>>>>>>> <br>
>>>>>>> Subject: Digest Footer<br>
>>>>>>> <br>
>>>>>>> _______________________________________________<br>
>>>>>>> Openid-specs-ab mailing list<br>
>>>>>>> <a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
>>>>>>> <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=vqMu4wpIOPufViYMGvzTtZtsynYxmLnmUHJCL88jWLY&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=vqMu4wpIOPufViYMGvzTtZtsynYxmLnmUHJCL88jWLY&e=</a><br>
>>>>>>> <br>
>>>>>>> <br>
>>>>>>> ------------------------------<br>
>>>>>>> <br>
>>>>>>> End of Openid-specs-ab Digest, Vol 390, Issue 9<br>
>>>>>>> ***********************************************<br>
>>>>>> _______________________________________________<br>
>>>>>> Openid-specs-ab mailing list<br>
>>>>>> <a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
>>>>>> <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=vqMu4wpIOPufViYMGvzTtZtsynYxmLnmUHJCL88jWLY&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=vqMu4wpIOPufViYMGvzTtZtsynYxmLnmUHJCL88jWLY&e=</a><br>
>>>>>> <br>
>>>>> <br>
>>>> _______________________________________________<br>
>>>> Openid-specs-ab mailing list<br>
>>>> <a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
>>>> <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=vqMu4wpIOPufViYMGvzTtZtsynYxmLnmUHJCL88jWLY&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=qJYRDsHBZhYt-b1obYtxq0fcLFu53TKBfl2_Hw2Gajw&s=vqMu4wpIOPufViYMGvzTtZtsynYxmLnmUHJCL88jWLY&e=</a><br>
>> <br>
>> <br>
> <br>
> <br>
> ------------------------------<br>
> <br>
> Subject: Digest Footer<br>
> <br>
> _______________________________________________<br>
> Openid-specs-ab mailing list<br>
> <a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
> <br>
> <br>
> ------------------------------<br>
> <br>
> End of Openid-specs-ab Digest, Vol 390, Issue 11<br>
> ************************************************<br>
<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div><br clear="all"><div><br></div></div><div>-- <br><div dir="ltr" class="m_-3070866097172040226m_5028887084318481627m_7138199687708093237gmail_signature" data-smartmail="gmail_signature">Nat Sakimura (=nat)<div>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div></div>
</div></div>
</div>