<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Hi,</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
I'm definitely up for a call like the one you proposed, Mike, in order to make sure that I proceed in the right direction.</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Thank you,<br>
Marcus</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div id="appendonsend"></div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<hr style="display: inline-block; width: 98%;">
<div dir="ltr" id="divRplyFwdMsg"><span style="font-family: Calibri, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);"><b>From:</b> Michael Jones <michael_b_jones@hotmail.com><br>
<b>Sent:</b> Tuesday, January 14, 2025 05:51<br>
<b>To:</b> jheenan_authletefwd <joseph@authlete.com>; Giuseppe De Marco <demarcog83@gmail.com>; Artifact Binding/Connect Working Group <openid-specs-ab@lists.openid.net><br>
<b>Cc:</b> Certification <Certification@oidf.org><br>
<b>Subject:</b> RE: [Openid-specs-ab] Proposed next set of Certification tests for OpenID Federation</span>
<div> </div>
</div>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><span style="font-size: 11pt;">Thanks for your observations, Joseph.</span></p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><span style="font-size: 11pt;"> </span></p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><span style="font-size: 11pt;">With respect to Automatic Registration being underspecified with respect to being able to create some of these tests, hopefully we can start creating those
for which there is no ambiguity and work together improve the spec and/or test definitions to remove any ambiguities.</span></p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><span style="font-size: 11pt;"> </span></p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><span style="font-size: 11pt;">Yes, due to their size, Trust Chains will require using HTTP POST.</span></p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><span style="font-size: 11pt;"> </span></p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><span style="font-size: 11pt;">Here’s my evaluation of the value of each of the three modes:</span></p>
<ol start="1" style="margin-top: 0in; margin-bottom: 0in;">
<li style="font-family: "Aptos", sans-serif; font-size: 12pt; margin: 0in;"><span style="font-size: 11pt;">Deployed Entity – These are the tests we already have. These are useful to people running Federation production.</span></li><li style="font-family: "Aptos", sans-serif; font-size: 12pt; margin: 0in;"><span style="font-size: 11pt;">Entire Deployed Federation – These are easy to create from the prior set by adding the straightforward code to walk the graphs. These are useful to Federation
operators.</span></li><li style="font-family: "Aptos", sans-serif; font-size: 12pt; margin: 0in;"><span style="font-size: 11pt;">Test Entity joined to Test Federation – These will let us run protocol tests, including Automatic Registration tests, which we’d tentatively agreed would
be the next goal. This mode also lets us run all manner of negative tests, which are important for security.</span></li></ol>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><span style="font-size: 11pt;"> </span></p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><span style="font-size: 11pt;">We can also talk about whether it makes sense to add the fourth mode that you suggest, which is a testing node temporarily joined to a deployed federation.
There are good arguments for both 3 and 4.</span></p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><span style="font-size: 11pt;"> </span></p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><span style="font-size: 11pt;">Is the next step to have a call between Marcus, myself, and probably you, Joseph to talk about next steps?</span></p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><span style="font-size: 11pt;"> </span></p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><span style="font-size: 11pt;"> Thanks all,</span></p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><span style="font-size: 11pt;"> -- Mike</span></p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><span style="font-size: 11pt;"> </span></p>
<div style="padding: 3pt 0in 0in; border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(225, 225, 225) currentcolor currentcolor;">
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><span style="font-family: "Calibri", sans-serif; font-size: 11pt;"><b>From:</b> Giuseppe De Marco <demarcog83@gmail.com><br>
<b>Sent:</b> Thursday, January 9, 2025 4:05 PM<br>
<b>To:</b> Artifact Binding/Connect Working Group <openid-specs-ab@lists.openid.net><br>
<b>Cc:</b> Joseph Heenan <joseph@authlete.com>; Certification <Certification@oidf.org><br>
<b>Subject:</b> Re: [Openid-specs-ab] Proposed next set of Certification tests for OpenID Federation</span></p>
</div>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"> </p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;">Hey J</p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"> </p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;">Thank you for you feedback, very valuable. I will get back on your points with more attention asap, here my not yet comprensive answers</p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"> </p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;">trust chains have expiration, an AS only Need to have a fresh (not expired) trust chain about the client. If the client provides a fresh trust chain within the request, it can be validated
by having the trust anchor public keys. If It is more fresh than the one already cached by the AS, the AS should update its cache.</p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"> </p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;">These are impl considerations that would merit their space within the specs.</p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"> </p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;">The AS should benefit to only cache the valid trust chains. Smart implementations also cache the processed metadata, to not process policies again and again using the the same data.</p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"> </p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;">Trust chains bring huge payloads, when used within the request, http post method or uri or par are the only possible way to not get risks of request URL params truncation.</p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><br>
Afaik, the test on the italian federation was made on the production nodes. You can use and italian RP, requesting to it an authentication to the italian openid CIE server, then inspect the CIE openid resolve endpoint to evaluate how and when the AS has collected
and evaluated the trust chain about that RP. The resolve endpoint brings the transparency we need when we deal with automatic registrations.</p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"> </p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;">In this way, you can test a federation on production without implementing RP or Op, you only need to statically evaluate the resolved response about its issuers about a specific subject.
One shot, two birds.</p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"> </p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;">In Italy the resolve endpoint is therefore required, we realized that we would not live without It.</p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"> </p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;">Please don't forget that the current italian impl in production is about draft 24, and that in Italy we don't want to handle changes until the specs Will be an official standard.</p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"> </p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;">Differently, for the wallet ecosystem we are handling periodical alignments.</p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"> </p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;">We still have come road to do together before finishing all this, I really appreciate the good company.</p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"> </p>
<p style="margin: 0in 0in 12pt; font-family: "Aptos", sans-serif; font-size: 12pt;">
Thank you all</p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;">Il gio 9 gen 2025, 22:28 Joseph Heenan via Openid-specs-ab <<span style="color: blue;"><u><a href="mailto:openid-specs-ab@lists.openid.net" id="OWAfb271f95-9ab3-061c-0940-4d70cf6358dc" class="OWAAutoLink" style="color: blue; margin-top: 0px; margin-bottom: 0px;">openid-specs-ab@lists.openid.net</a></u></span>>
ha scritto:</p>
<blockquote style="margin-right: 0in; margin-left: 4.8pt; padding: 0in 0in 0in 6pt; border-width: medium medium medium 1pt; border-style: none none none solid; border-color: currentcolor currentcolor currentcolor rgb(204, 204, 204);">
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;">Hi all</p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"> </p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;">Just to put some some of the items I mentioned during today’s working group call into writing; after a quick (and not comprehensive) review a few worries spring to mind:</p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"> </p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;">I’m not convinced that Automatic registration is clearly enough defined in the specification to do some of these tests - e.g. I think there’s a lack of clarity over what servers might
or might not be permitted to cache during the automatic registration, e.g. I wouldn’t expect an AS to re-verify the trust chain on every authorization endpoint call but I think there’s one test that expects that passing an invalid trust chain would reliably
result in an error. I’m also not sure if the server allowed to skip some other validation steps if the client was already registered.</p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"> </p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;">I think the flexibility in the spec over how to deal with the request object (if it includes the trust_chain) potentially being larger than actually works in practice is not helpful
for interoperability tests (e.g. as well as permitting a normal redirect to the authorization endpoint, it allows a POST, or the use of request_uri, or PAR). </p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"> </p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;">On the 3 different deployment modes, we should make sure we’re clear which of the 3 modes we want to focus on testing initially - I’d suggest focussing on what we think we deliver the
most value.</p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"> </p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;">And something I’ve further reflected on since the working group call - I’m not sure that “Entity Joined to Test Federation” mode is actually necessary for some of the positive/negative
tests. I suspect there’s an in-between position where the conformance suite is temporarily made a leaf (not sure if that’s the correct word) in the production federation that the entity under test is a part of. This is how we approach, e.g., OpenBanking testing
that allows us to test a production bank. My gut feeling is that it’s probably important we’re able to do that kind of production testing against a production node in a real federation too, if we’re going to make sure that things actually work in that federation
in production - e.g. in seems important to test client registration in that kind of way. I don’t know if there’s any Federation specific issues that might stop that working.</p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"> </p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;">Thanks</p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"> </p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;">Joseph</p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"> </p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"> </p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"> </p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><br>
<br>
</p>
<blockquote style="margin-top: 5pt; margin-bottom: 5pt;">
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;">On 1 Jan 2025, at 06:49, Michael Jones via Openid-specs-ab <<span style="color: blue;"><u><a href="mailto:openid-specs-ab@lists.openid.net" id="OWA747a6e5a-f9a7-c083-216b-a6042948100b" class="OWAAutoLink" style="color: blue; margin-top: 0px; margin-bottom: 0px;">openid-specs-ab@lists.openid.net</a></u></span>>
wrote:</p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"> </p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><span style="font-size: 11pt;">As a result of discussions with the Certification team and the Connect working group, we decided that the next steps for certifying OpenID Federation deployments
and implementations would be to add tests exchanging protocol messages between the implementation being tested and federation conformance testing software at
</span><span style="font-size: 11pt; color: rgb(70, 120, 134);"><u><a href="http://www.certification.openid.net/" id="OWA181c8071-4bea-83e8-d767-cd16fba589ad" class="OWAAutoLink" style="color: rgb(70, 120, 134); margin-top: 0px; margin-bottom: 0px;" data-auth="NotApplicable">www.certification.openid.net</a></u></span><span style="font-size: 11pt;">.
The attached spreadsheet defines an initial set of such tests, both using Automatic Registration and Explicit Registration. It also includes the previous set of tests, updated per feedback from Marcus Almgren, who implemented them.</span></p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><span style="font-size: 11pt;"> </span></p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><span style="font-size: 11pt;">As described in the (short) attached Word doc, we plan for there to be three modes of tests available for Federations:</span></p>
<ul style="margin-top: 0in; margin-bottom: 0in;">
<li style="font-family: "Aptos", sans-serif; font-size: 12pt; margin: 0in;"><span style="font-size: 11pt;"><b>Deployed Single Entity Testing:
</b> Tests the properties of an Entity deployed in a Federation in detail. Obviously, only features used by the Entity can be tested. All the tests we have now use this mode.</span></li><li style="font-family: "Aptos", sans-serif; font-size: 12pt; margin: 0in;"><span style="font-size: 11pt;"><b>Deployed Entire Federation Testing:</b> Tests the properties of an entire deployed Federation graph. Obviously only limited information can be logged
so that the log sizes for Federations with thousands of Entities do not become unwieldy. We expect this mode to be useful to Federation Operators for identifying problems in their federations.</span></li><li style="font-family: "Aptos", sans-serif; font-size: 12pt; margin: 0in;"><span style="font-size: 11pt;"><b>Entity Joined to Test Federation:</b> Tests the behavior an Entity within a custom federation created for certification testing purposes. Both positive
and negative tests can be run in this manner, as are tests over a broader range of inputs controlled by the certification suite.</span></li></ul>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><span style="font-size: 11pt;"> </span></p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><span style="font-size: 11pt;">The new “<b>Test Modes</b>” column in the spreadsheet indicates which combinations of the three modes tests are applicable for: Deployed (1), Entire Fed
(2), Test Fed. (3), or All.</span></p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><span style="font-size: 11pt;"> </span></p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><span style="font-size: 11pt;">These tests are informed by the tests developed by the Italian SPID CIE team and also by discussions with those involved in the Italian and multiple other
European deployments, Australian deployments, the Connect working group, and the Certification team. Please let us know what you’d like to see us do next!</span></p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><span style="font-size: 11pt;"> </span></p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><span style="font-size: 11pt;"> Happy New Year!</span></p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><span style="font-size: 11pt;"> -- Mike</span></p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><span style="font-size: 11pt;"> </span></p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"><OpenID Federation Conformance Features 31-Dec-24.xlsx><Certification Testing for OpenID Federation 29-Dec-24.docx><span style="font-family: "Helvetica", sans-serif; font-size: 9pt;">_______________________________________________<br>
Openid-specs-ab mailing list<br>
</span><span style="font-family: "Helvetica", sans-serif; font-size: 9pt; color: rgb(70, 120, 134);"><u><a href="mailto:Openid-specs-ab@lists.openid.net" id="OWAba1106bb-ffe8-7223-16e4-c2f2d975a644" class="OWAAutoLink" style="color: rgb(70, 120, 134); margin-top: 0px; margin-bottom: 0px;">Openid-specs-ab@lists.openid.net</a></u></span><span style="font-family: "Helvetica", sans-serif; font-size: 9pt;"><br>
</span><span style="font-family: "Helvetica", sans-serif; font-size: 9pt; color: rgb(70, 120, 134);"><u><a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" id="OWAba2bab02-3614-dfc6-3044-1e3bf60b83dd" class="OWAAutoLink" style="color: rgb(70, 120, 134); margin-top: 0px; margin-bottom: 0px;" data-auth="NotApplicable">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a></u></span></p>
</blockquote>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;"> </p>
<p style="margin: 0in; font-family: "Aptos", sans-serif; font-size: 12pt;">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<span style="color: blue;"><u><a href="mailto:Openid-specs-ab@lists.openid.net" id="OWA6331866f-8503-b6ca-44c4-3f1f201c19b8" class="OWAAutoLink" style="color: blue; margin-top: 0px; margin-bottom: 0px;">Openid-specs-ab@lists.openid.net</a></u></span><br>
<span style="color: blue;"><u><a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" id="OWA8458425e-0e0e-8412-f800-af67996cb388" class="OWAAutoLink" style="color: blue; margin-top: 0px; margin-bottom: 0px;" data-auth="NotApplicable">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a></u></span></p>
</blockquote>
</body>
</html>