Shibboleth Developer's Meeting, 2020-11-06
Call Administrivia
09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2020-11-20. Any reason to deviate from this?
60 to 90 minute call window.
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
- OIDC plugin - versioning, planning
- Duo plugin - delivery of the two alternative implementations vis a vis the plugin/module system
- EC2 postmortem
Attendees:
Brent
-
-
OSJ-304Getting issue details...
STATUS
- Done, unless we determine otherwise.
-
-
OSJ-207Getting issue details...
STATUS
- Would like to finally knock this one out, should be easy. Already added Base64URL encoding/decoding support awhile back.
- Re Phil's Duo and PKIX work: Maybe we need a different PKIX trust evaluator impl based on e.g. Bouncy Castle, which makes advanced things like dynamic CRL and OSCP easier and more reliable?
Daniel
Henri
- dev/JOIDC-5 merged to main
- Hands-on with the plugin model
Ian
- xmlsectool 3: will cut a beta in the next week or so
- this will require a release of Java parent and java-support
- will also be doing a scan of xmlsectool's dependencies, incl: Bouncy Castle & Santuario
John
Marvin
Phil
-
-
JDUO-18Getting issue details...
STATUS
I went a bit off plan looking into CRL and OCSP revocation checking - at the expense of some other plugin things, my mistake.
- Most of the info is either in the ticket or in the email thread - thanks Brent for helping with that.
- Thanks to Brent's IdP changes, revocation checking can be enabled without requiring a static CRL
- Although you **must** enabled one or both of CRL download from DPs, or OCSP, or an approved static CRL - otherwise, it will always fail.
- Needs good documentation to highlight the configuration and issues to the deployer
- Might benefit from some CertPathPKIXValidationOptions checking when injecting the trust evaluator e.g. throw an exception if revocation checking is enabled, but a static CRL (although no way to validate that on startup) or CRLDP or OSCP properties were not set.
- - JDUO-20Getting issue details... STATUS removed the auth0 dep, now signs Nimbus JWTs using a - sigh - invalid key.
Rod
- Nothing
Scott
- Updating documentation with 4.1 changes
- Testing
- - JOIDC-15Getting issue details... STATUS
- - GEN-268Getting issue details... STATUS
Tom
- Probably should schedule AWS cost review regularly / monthly / quarterly
- Worked on tests, Javas, AMIs
- Looking forward to working on consent
Other