<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Spec Call Notes 14-Aug-23<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Nat Sakimura<o:p></o:p></p>
<p class="MsoNormal">Tom Jones<o:p></o:p></p>
<p class="MsoNormal">Andrii Deiniga<o:p></o:p></p>
<p class="MsoNormal">Naveen CM<o:p></o:p></p>
<p class="MsoNormal">Edmund Jay<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Errata Status<o:p></o:p></p>
<p class="MsoNormal"> Mike published proposed errata drafts for review yesterday<o:p></o:p></p>
<p class="MsoNormal"> Mike found a few additional errata suggestions in an old "To Do" file and filed corresponding issues today<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open&milestone=Errata">
https://bitbucket.org/openid/connect/issues?status=new&status=open&milestone=Errata</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Issues<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open">
https://bitbucket.org/openid/connect/issues?status=new&status=open</a><o:p></o:p></p>
<p class="MsoNormal"> #1112: Register openid to the well-known URI scheme IANA registry<o:p></o:p></p>
<p class="MsoNormal"> The designated expert says that we could do provisional registration now<o:p></o:p></p>
<p class="MsoNormal"> A spec specifying URI syntax would be required for full registration<o:p></o:p></p>
<p class="MsoNormal"> Mike will respond requesting provisional registration<o:p></o:p></p>
<p class="MsoNormal"> #2025: William Denniss' suggestion about Cache-Control: no-cache, no-store<o:p></o:p></p>
<p class="MsoNormal"> Andrii pointed out that this was previously discussed by the OAuth WG<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://mailarchive.ietf.org/arch/msg/oauth/9DdkE2P0RrUZMeZAbdf3NrMfy0w/">
https://mailarchive.ietf.org/arch/msg/oauth/9DdkE2P0RrUZMeZAbdf3NrMfy0w/</a><o:p></o:p></p>
<p class="MsoNormal"> Andrii will add a comment to the issue<o:p></o:p></p>
<p class="MsoNormal"> #2026: Dynamic Registration redirect_uri ambiguity<o:p></o:p></p>
<p class="MsoNormal"> We should make the sentence unambiguous<o:p></o:p></p>
<p class="MsoNormal"> We should say that custom URI schemes are acceptable<o:p></o:p></p>
<p class="MsoNormal"> It doesn't seem worth mentioning IP literal forms in an errata update<o:p></o:p></p>
<p class="MsoNormal"> #2027: Obsolete statement about WebFinger and acct: URIs<o:p></o:p></p>
<p class="MsoNormal"> We should update the note to reference the acct: URI spec<o:p></o:p></p>
<p class="MsoNormal"> #2028: Reference to RFC 8176 "Authentication Method Reference Values" needed<o:p></o:p></p>
<p class="MsoNormal"> We should say that people should use values from the registry<o:p></o:p></p>
<p class="MsoNormal"> #2029: Reference RFC 9101 "JWT-Secured Authorization Request (JAR)"<o:p></o:p></p>
<p class="MsoNormal"> We should add an informative reference saying that this was based on the invention in Connect<o:p></o:p></p>
<p class="MsoNormal"> #2030: ISO29115 date wrong<o:p></o:p></p>
<p class="MsoNormal"> Editorial<o:p></o:p></p>
<p class="MsoNormal"> #2013: Improve clarity of sentence about issuer value<o:p></o:p></p>
<p class="MsoNormal"> We should use something like the wording from the OAuth RFC<o:p></o:p></p>
<p class="MsoNormal"> #2024: oidcc-prompt-none-logged-in test should accept login_required response<o:p></o:p></p>
<p class="MsoNormal"> Edmund wondered whether this has to do with multiple users being logged in<o:p></o:p></p>
<p class="MsoNormal"> Mike responded in a comment<o:p></o:p></p>
<p class="MsoNormal"> This would remove the tests that require working support for prompt=none from the certification requirements<o:p></o:p></p>
<p class="MsoNormal"> #2022: [Federation] 5.1.4.1. Merging Operators - Correct normative language<o:p></o:p></p>
<p class="MsoNormal"> Addressed by PR #607<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Pull Requests:<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/pull-requests/">
https://bitbucket.org/openid/connect/pull-requests/</a><o:p></o:p></p>
<p class="MsoNormal"> PR #607: [Federation] Cleans up the policy combination and operator merge language (iss #2022)<o:p></o:p></p>
<p class="MsoNormal"> More reviews would be welcomed<o:p></o:p></p>
<p class="MsoNormal"> PR #589: [Federation] Allow retrieving metadata from existing locations<o:p></o:p></p>
<p class="MsoNormal"> Generating a lot of good discussion<o:p></o:p></p>
<p class="MsoNormal"> Mike plans to discuss this in person at the OAuth Security Workshop next week<o:p></o:p></p>
<p class="MsoNormal"> PR #448: [Federation] Added appendix on using Web PKI cryptographic trust<o:p></o:p></p>
<p class="MsoNormal"> Closing in favor of PR #589<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Issues with Status "Submitted"<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues?is_spam=%21spam&status=submitted">
https://bitbucket.org/openid/connect/issues?is_spam=%21spam&status=submitted</a><o:p></o:p></p>
<p class="MsoNormal"> #448: Opened and discussed #2024: oidcc-prompt-none-logged-in test should accept login_required response<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tom asked about the new "Custom URI Schemes on iOS" text<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://openid.net/specs/openid-connect-core-1_0-32.html#iOSCustomSchemes">
https://openid.net/specs/openid-connect-core-1_0-32.html#iOSCustomSchemes</a><o:p></o:p></p>
<p class="MsoNormal"> He thinks we should say more clearly that this is insecure<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next Call<o:p></o:p></p>
<p class="MsoNormal"> The next call will be the SIOP Special Topic call on Thursday, August 17th at 7am Pacific Time<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>