<div dir="auto">Are you at.all concerned that requiring dynamic will exclude a large number of sites that have no interest in implementation of this unpopular option?<br><br><div data-smartmail="gmail_signature">thx ..Tom (mobile)</div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Sep 14, 2018, 4:30 PM Mike Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">





<div lang="EN-US" link="blue" vlink="purple">
<div class="m_3770957031551039433WordSection1">
<p class="MsoNormal"><span style="color:#002060">The tests were chosen precisely by the working group looking at interoperability and security requirements for implementations.  The original set of test profile definitions at</span>
<span style="color:#002060"><a href="http://openid.net/wordpress-content/uploads/2015/03/OpenID-Connect-Conformance-Profiles.pdf" target="_blank" rel="noreferrer">http://openid.net/wordpress-content/uploads/2015/03/OpenID-Connect-Conformance-Profiles.pdf</a> were developed by the working group
 with these goals and new versions have continued these goal while adding tests and profiles, including through the current profile definitions at
<a href="https://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.pdf" target="_blank" rel="noreferrer">
https://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.pdf</a>.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#002060"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#002060">This isn’t a static process.  Indeed session management, back-channel logout, and front-channel logout profile definitions will be circulated to the working group for review shortly as a result of discussions
 at the in-person certification engineering meeting this week in London.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#002060"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#002060">Yes, it’s always the case that more tests can be added to help prevent the possibilities of additional interop and security issues.  The certification committee always welcomes input on how to most effectively
 expand the scope of what’s being tested.  Feel free to file issues about bugs and suggestions at
<a href="https://github.com/openid-certification/oidctest/issues" target="_blank" rel="noreferrer">https://github.com/openid-certification/oidctest/issues</a>.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#002060"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#002060">That said, of course no amount of testing can guarantee that security bugs aren’t present.  But we do try to rule out the likely ones!<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#002060"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#002060">                                                       -- Mike<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#002060"><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> n-sakimura <<a href="mailto:n-sakimura@nri.co.jp" target="_blank" rel="noreferrer">n-sakimura@nri.co.jp</a>> <br>
<b>Sent:</b> Thursday, September 13, 2018 11:08 PM<br>
<b>To:</b> Artifact Binding/Connect Working Group <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" rel="noreferrer">openid-specs-ab@lists.openid.net</a>><br>
<b>Cc:</b> Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank" rel="noreferrer">Michael.Jones@microsoft.com</a>><br>
<b>Subject:</b> RE: [Openid-specs-ab] Certification question: 'OP-redirect_uri-Missing' only in Dynamic?<u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">I see, so these tests are not organized according to the security requirements of the implementations but according to the test environment logistics…<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">That makes me think that just having Basic certification is not enough from a security reviewer’s point of view.
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">Nat<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Openid-specs-ab <<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank" rel="noreferrer">openid-specs-ab-bounces@lists.openid.net</a>>
<b>On Behalf Of </b>Mike Jones via Openid-specs-ab<br>
<b>Sent:</b> Thursday, September 13, 2018 5:39 AM<br>
<b>To:</b> Artifact Binding/Connect Working Group <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" rel="noreferrer">openid-specs-ab@lists.openid.net</a>><br>
<b>Cc:</b> Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank" rel="noreferrer">Michael.Jones@microsoft.com</a>><br>
<b>Subject:</b> Re: [Openid-specs-ab] Certification question: 'OP-redirect_uri-Missing' only in Dynamic?<u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span style="color:#002060">It’s in Dynamic because it’s straightforward to test when dynamic client registration is supported.  When it is, the test tool can register multiple redirect_uri values.  When dynamic client registration isn’t
 supported, the client typically only has a single redirect_uri value.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#002060"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#002060">Yes, it’s relevant all the time, but testing it isn’t really practical otherwise.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#002060"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#002060">                                                       -- Mike<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#002060"><u></u> <u></u></span></p>
<p class="MsoNormal"><b>From:</b> Openid-specs-ab <<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank" rel="noreferrer">openid-specs-ab-bounces@lists.openid.net</a>>
<b>On Behalf Of </b>Nat Sakimura via Openid-specs-ab<br>
<b>Sent:</b> Thursday, August 30, 2018 11:51 PM<br>
<b>To:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" rel="noreferrer">openid-specs-ab@lists.openid.net</a> Ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" rel="noreferrer">openid-specs-ab@lists.openid.net</a>><br>
<b>Cc:</b> Nat Sakimura <<a href="mailto:sakimura@gmail.com" target="_blank" rel="noreferrer">sakimura@gmail.com</a>><br>
<b>Subject:</b> [Openid-specs-ab] Certification question: 'OP-redirect_uri-Missing' only in Dynamic?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal">Hi<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">I just started to look at the conformance profile 3.0 [1]. <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">[1] <a href="http://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.pdf" target="_blank" rel="noreferrer">
http://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.pdf</a> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">There is a test 'OP-redirect_uri-Missing' which tests whether the OP Reject request without redirect_uri when multiple registered. It is only required in the Dynamic profile and not in Basic etc. Is there any particular reason for this?
 I think this test is also relevant to Basic etc. <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Best regards, <br clear="all">
<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal">-- <u></u><u></u></p>
<div>
<p class="MsoNormal">Nat Sakimura (=nat)<u></u><u></u></p>
<div>
<p class="MsoNormal">Chairman, OpenID Foundation<br>
<a href="http://nat.sakimura.org/" target="_blank" rel="noreferrer">http://nat.sakimura.org/</a><br>
@_nat_en<u></u><u></u></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>

_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" rel="noreferrer">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>