<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Spec Call Notes 12-Mar-20<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Roland Hedberg<o:p></o:p></p>
<p class="MsoNormal">Brian Campbell<o:p></o:p></p>
<p class="MsoNormal">Nat Sakimura<o:p></o:p></p>
<p class="MsoNormal">George Fletcher<o:p></o:p></p>
<p class="MsoNormal">Joseph Heenan<o:p></o:p></p>
<p class="MsoNormal">Tom Jones<o:p></o:p></p>
<p class="MsoNormal">Bjorn Hjelm<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Migration from Mercurial to Git<o:p></o:p></p>
<p class="MsoNormal"> Edmund and Nat created a migration script<o:p></o:p></p>
<p class="MsoNormal"> It doesn't migrate PRs but migrates everything else<o:p></o:p></p>
<p class="MsoNormal"> Mike will review the three PRs and propose dispositions<o:p></o:p></p>
<p class="MsoNormal"> Identities within Bitbucket are maintained<o:p></o:p></p>
<p class="MsoNormal"> Most links in the issue tracker should work after migration<o:p></o:p></p>
<p class="MsoNormal"> Nat proposes to create a trial migration to review this week<o:p></o:p></p>
<p class="MsoNormal"> Mike said that we should target the real migration at the beginning of April<o:p></o:p></p>
<p class="MsoNormal"> George has outstanding local spec changes<o:p></o:p></p>
<p class="MsoNormal"> Mike and Nat reinforced that any outstanding local changes should be checked in soon<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">OAuth JAR<o:p></o:p></p>
<p class="MsoNormal"> Nat asked the OAuth WG two weeks ago whether to restore the client_id functionality<o:p></o:p></p>
<p class="MsoNormal"> People haven't responded to that specific thread<o:p></o:p></p>
<p class="MsoNormal"> RE: [OAUTH-WG] JWT Secured Authorization Request (JAR) vs OIDC request object<o:p></o:p></p>
<p class="MsoNormal"> Mike and Joseph replied just now supporting this change. Others can likewise do so.<o:p></o:p></p>
<p class="MsoNormal"> Nat plans to make the change after a few replies come in<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">MTLS and Self-Signed Certificates<o:p></o:p></p>
<p class="MsoNormal"> Higher-education uses a lot of self-signed certificates in SAML federations<o:p></o:p></p>
<p class="MsoNormal"> They are also used to using MTLS<o:p></o:p></p>
<p class="MsoNormal"> Torsten wants to use MTLS<o:p></o:p></p>
<p class="MsoNormal"> Mike asked why not just use private_key_jwt?<o:p></o:p></p>
<p class="MsoNormal"> Joseph said that in FAPI, people have a lot more deployment problems with MTLS than private_key_jwt<o:p></o:p></p>
<p class="MsoNormal"> Python doesn't successfully process self-signed client certificates<o:p></o:p></p>
<p class="MsoNormal"> Brian thinks that you can do this in Java by overriding a certificate verification method<o:p></o:p></p>
<p class="MsoNormal"> The Federation spec uses private_key_jwt at the authorization endpoint<o:p></o:p></p>
<p class="MsoNormal"> This requires that the audience be the authorization endpoint<o:p></o:p></p>
<p class="MsoNormal"> Brian stated that MTLS isn't defined or possible at the authorization endpoint<o:p></o:p></p>
<p class="MsoNormal"> Only at the token endpoint<o:p></o:p></p>
<p class="MsoNormal"> Roland will take this offline with Brian and the authors<o:p></o:p></p>
<p class="MsoNormal"> Joseph said that FAPI has a pushed request object<o:p></o:p></p>
<p class="MsoNormal"> Brian said that OAuth PAR is intended to be better specified and interoperable<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Federation Specification and Interops<o:p></o:p></p>
<p class="MsoNormal"> The Federation draft is at second Implementer's Draft status<o:p></o:p></p>
<p class="MsoNormal"> It's pretty stable, other than possibly changes responding to the MTLS feedback<o:p></o:p></p>
<p class="MsoNormal"> An interop is planned at TNC in Brighton in June<o:p></o:p></p>
<p class="MsoNormal"> It's looking like this may have to be virtual<o:p></o:p></p>
<p class="MsoNormal"> Roland knows of three implementations: from Germany, Finland, and Sweden<o:p></o:p></p>
<p class="MsoNormal"> Or they could relocate the interop to Stockholm, for instance<o:p></o:p></p>
<p class="MsoNormal"> Mike said that implementers could be putting up their public test endpoints now<o:p></o:p></p>
<p class="MsoNormal"> Roland has some clarifications to check into the spec<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Certification and Logout<o:p></o:p></p>
<p class="MsoNormal"> OP and RP logout certification are in pilot mode<o:p></o:p></p>
<p class="MsoNormal"> We want people testing before we take the Logout specs to Final status<o:p></o:p></p>
<p class="MsoNormal"> George will test Verizon Media's Front-Channel Logout implementation<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Issues<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open">
https://bitbucket.org/openid/connect/issues?status=new&status=open</a><o:p></o:p></p>
<p class="MsoNormal"> #1150 Federation: 9.1.1 Endpoint should be "authorization"<o:p></o:p></p>
<p class="MsoNormal"> Roland agrees with that correction<o:p></o:p></p>
<p class="MsoNormal"> #1151 Federation: A.1: Examples of OP metadata in entity statement and merged stament missing required parameters<o:p></o:p></p>
<p class="MsoNormal"> Roland has addressed this in his local copy<o:p></o:p></p>
<p class="MsoNormal"> #1154 Federation: Explicit defintion of entity identifier<o:p></o:p></p>
<p class="MsoNormal"> Roland has addressed this in his local copy<o:p></o:p></p>
<p class="MsoNormal"> #1155 Federation: 4.1.3: Typo in superset_of JSON example<o:p></o:p></p>
<p class="MsoNormal"> Assigned to Roland<o:p></o:p></p>
<p class="MsoNormal"> #1156 Federation: 4.1.1. subset_of edge cases<o:p></o:p></p>
<p class="MsoNormal"> Roland has addressed in his local copy<o:p></o:p></p>
<p class="MsoNormal"> #1157 Federation: 4.3: Combining Policies - Reword "combine" as "merge" where appropriate?<o:p></o:p></p>
<p class="MsoNormal"> Assigned to Roland<o:p></o:p></p>
<p class="MsoNormal"> #1158 Federation 4 /7.2 - not clear handling when 'metadata' duplicated in the trust chain<o:p></o:p></p>
<p class="MsoNormal"> Roland will clarify when metadata can appear and when metadata policy can appear<o:p></o:p></p>
<p class="MsoNormal"> #1159 TLS requirements/recommendations for OP/RP<o:p></o:p></p>
<p class="MsoNormal"> Mike will update the TLS recommendations text<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next Call<o:p></o:p></p>
<p class="MsoNormal"> The next working group call is scheduled for Monday, March 16 at 4pm Pacific Time<o:p></o:p></p>
</div>
</body>
</html>