<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:11.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:938414166;
mso-list-template-ids:-811010562;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:1144198398;
mso-list-type:hybrid;
mso-list-template-ids:740694536 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Thanks for your observations, Joseph.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">With respect to Automatic Registration being underspecified with respect to being able to create some of these tests, hopefully we can start creating those for which there is no ambiguity and work together
improve the spec and/or test definitions to remove any ambiguities.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Yes, due to their size, Trust Chains will require using HTTP POST.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Here’s my evaluation of the value of each of the three modes:<o:p></o:p></span></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo2"><span style="font-size:11.0pt">Deployed Entity – These are the tests we already have. These are useful to people running Federation production.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo2"><span style="font-size:11.0pt">Entire Deployed Federation – These are easy to create from the prior set by adding the straightforward code to walk the graphs. These are useful to
Federation operators.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo2"><span style="font-size:11.0pt">Test Entity joined to Test Federation – These will let us run protocol tests, including Automatic Registration tests, which we’d tentatively agreed would
be the next goal. This mode also lets us run all manner of negative tests, which are important for security.<o:p></o:p></span></li></ol>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">We can also talk about whether it makes sense to add the fourth mode that you suggest, which is a testing node temporarily joined to a deployed federation. There are good arguments for both 3 and 4.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Is the next step to have a call between Marcus, myself, and probably you, Joseph to talk about next steps?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Thanks all,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> -- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Giuseppe De Marco <demarcog83@gmail.com>
<br>
<b>Sent:</b> Thursday, January 9, 2025 4:05 PM<br>
<b>To:</b> Artifact Binding/Connect Working Group <openid-specs-ab@lists.openid.net><br>
<b>Cc:</b> Joseph Heenan <joseph@authlete.com>; Certification <Certification@oidf.org><br>
<b>Subject:</b> Re: [Openid-specs-ab] Proposed next set of Certification tests for OpenID Federation<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Hey J<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thank you for you feedback, very valuable. I will get back on your points with more attention asap, here my not yet comprensive answers<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">trust chains have expiration, an AS only Need to have a fresh (not expired) trust chain about the client. If the client provides a fresh trust chain within the request, it can be validated by having the trust anchor public keys. If It is
more fresh than the one already cached by the AS, the AS should update its cache.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">These are impl considerations that would merit their space within the specs.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The AS should benefit to only cache the valid trust chains. Smart implementations also cache the processed metadata, to not process policies again and again using the the same data.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Trust chains bring huge payloads, when used within the request, http post method or uri or par are the only possible way to not get risks of request URL params truncation.<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
Afaik, the test on the italian federation was made on the production nodes. You can use and italian RP, requesting to it an authentication to the italian openid CIE server, then inspect the CIE openid resolve endpoint to evaluate how and when the AS has collected
and evaluated the trust chain about that RP. The resolve endpoint brings the transparency we need when we deal with automatic registrations.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">In this way, you can test a federation on production without implementing RP or Op, you only need to statically evaluate the resolved response about its issuers about a specific subject. One shot, two birds.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">In Italy the resolve endpoint is therefore required, we realized that we would not live without It.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Please don't forget that the current italian impl in production is about draft 24, and that in Italy we don't want to handle changes until the specs Will be an official standard.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Differently, for the wallet ecosystem we are handling periodical alignments.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">We still have come road to do together before finishing all this, I really appreciate the good company.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Thank you all<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">Il gio 9 gen 2025, 22:28 Joseph Heenan via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> ha scritto:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal">Hi all<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Just to put some some of the items I mentioned during today’s working group call into writing; after a quick (and not comprehensive) review a few worries spring to mind:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">I’m not convinced that Automatic registration is clearly enough defined in the specification to do some of these tests - e.g. I think there’s a lack of clarity over what servers might or might not be permitted to cache during the automatic
registration, e.g. I wouldn’t expect an AS to re-verify the trust chain on every authorization endpoint call but I think there’s one test that expects that passing an invalid trust chain would reliably result in an error. I’m also not sure if the server allowed
to skip some other validation steps if the client was already registered.<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I think the flexibility in the spec over how to deal with the request object (if it includes the trust_chain) potentially being larger than actually works in practice is not helpful for interoperability tests (e.g. as well as permitting
a normal redirect to the authorization endpoint, it allows a POST, or the use of request_uri, or PAR). <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">On the 3 different deployment modes, we should make sure we’re clear which of the 3 modes we want to focus on testing initially - I’d suggest focussing on what we think we deliver the most value.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">And something I’ve further reflected on since the working group call - I’m not sure that “Entity Joined to Test Federation” mode is actually necessary for some of the positive/negative tests. I suspect there’s an in-between position where
the conformance suite is temporarily made a leaf (not sure if that’s the correct word) in the production federation that the entity under test is a part of. This is how we approach, e.g., OpenBanking testing that allows us to test a production bank. My gut
feeling is that it’s probably important we’re able to do that kind of production testing against a production node in a real federation too, if we’re going to make sure that things actually work in that federation in production - e.g. in seems important to
test client registration in that kind of way. I don’t know if there’s any Federation specific issues that might stop that working.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Joseph<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On 1 Jan 2025, at 06:49, Michael Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt">As a result of discussions with the Certification team and the Connect working group, we decided that the next steps for certifying OpenID Federation deployments and implementations would be to add tests exchanging
protocol messages between the implementation being tested and federation conformance testing software at <a href="http://www.certification.openid.net/" target="_blank"><span style="color:#467886">www.certification.openid.net</span></a>. The attached spreadsheet
defines an initial set of such tests, both using Automatic Registration and Explicit Registration. It also includes the previous set of tests, updated per feedback from Marcus Almgren, who implemented them.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt">As described in the (short) attached Word doc, we plan for there to be three modes of tests available for Federations:<o:p></o:p></span></p>
</div>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="mso-list:l0 level1 lfo1"><b><span style="font-size:11.0pt">Deployed Single Entity Testing: </span></b><span style="font-size:11.0pt"> Tests the properties of an Entity deployed in a Federation in detail. Obviously, only features
used by the Entity can be tested. All the tests we have now use this mode.<o:p></o:p></span></li><li class="MsoNormal" style="mso-list:l0 level1 lfo1"><b><span style="font-size:11.0pt">Deployed Entire Federation Testing:</span></b><span style="font-size:11.0pt"> Tests the properties of an entire deployed Federation graph. Obviously only limited information
can be logged so that the log sizes for Federations with thousands of Entities do not become unwieldy. We expect this mode to be useful to Federation Operators for identifying problems in their federations.<o:p></o:p></span></li><li class="MsoNormal" style="mso-list:l0 level1 lfo1"><b><span style="font-size:11.0pt">Entity Joined to Test Federation:</span></b><span style="font-size:11.0pt"> Tests the behavior an Entity within a custom federation created for certification testing purposes.
Both positive and negative tests can be run in this manner, as are tests over a broader range of inputs controlled by the certification suite.<o:p></o:p></span></li></ul>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt">The new “<b>Test Modes</b>” column in the spreadsheet indicates which combinations of the three modes tests are applicable for: Deployed (1), Entire Fed (2), Test Fed. (3), or All.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt">These tests are informed by the tests developed by the Italian SPID CIE team and also by discussions with those involved in the Italian and multiple other European deployments, Australian deployments, the
Connect working group, and the Certification team. Please let us know what you’d like to see us do next!<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt"> Happy New Year!<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt"> -- Mike<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><OpenID Federation Conformance Features 31-Dec-24.xlsx><Certification Testing for OpenID Federation 29-Dec-24.docx><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">_______________________________________________<br>
Openid-specs-ab mailing list<br>
</span><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#467886">Openid-specs-ab@lists.openid.net</span></a><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><br>
</span><a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#467886">https://lists.openid.net/mailman/listinfo/openid-specs-ab</span></a><o:p></o:p></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</body>
</html>