Attendees:
Stephen Schwichtenberg, Ivan, Christos, John P, Heather, Johan, Scott
Regrets:
Roland
Notes:
0 - Agenda bash
1 - Security Vulnerability - review
looking for feedback on how we handled the announcements.
Ivan made a private incident-response team to review the patches, but not sure that many people tested. eduTeams did some testing after about a week and found a few issues coming from the new patches. The new code had test cases, but they can't account for everything. We need better community testing.
We made the CVEs public on Jan 20, created a new release for pySAML2, and sent out an announcement. Also updated Satosa, including a new docker image. We also have a new web page: https://idpy.org/security/.
Feedback
• We announced the new release would be available before we actually had the release. That put some time strain on things that rushed the testing and development. We underestimated the complexity, so suggest we needed to have the testing done first, before we make an announcement. There were also requests for early access; how do we answer questions like that? Who gets early access, and who doesn't? Giving a heads' up to the ops people is good, but better to have the patches ready first.
• The clients who had been keeping themselves up to date had the least issues in handling the update. The ones that are still on old versions had quite a few more challenges (custom microservices no longer worked, configs had to change, etc). Standard devops best practice makes responding to this kind of issue much easier.
• In terms of curating a list of early testers, the people who show up and contribute to the community are the ones that should get premium access.
2 - GitHub review
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)
Tuesday, 26 January 2021, 14:00 UTC
BlueJeans: https://bluejeans.com/444837426?src=join_info
Regrets:
Roland
Agenda:
0 - Agenda bash
1 - Security Vulnerability - review
2 - GitHub review
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)
b. Satosa - https://github.com/IdentityPython/SATOSA
c. pySAML2 - https://github.com/IdentityPython/pysaml2
d. pyFF - https://github.com/IdentityPython/pyFF
3 - Normalizing idpy projects (see email from Ivan, "Subject: [idpy-discuss] Normalizing across all projects”, 10 November 2020)
a. Extending the invitation to djangosaml2 - status?
4 - AOB
Thanks! Heather
Dear users of IdentityPython,
this is a heads-up about two vulnerabilities affecting pySAML2.
Software that uses pySAML2 is indirectly affected, too (ie, SATOSA).
The issues were reported to the IdentityPython incident-response
mailing list and we have been working on a mitigation. A new version
of pySAML2 that includes the fixes will be released on Wednesday
20th of January between 13:00 CET and 17:00 CET. We urge
everyone to be prepared to update their setup to the latest version.
Kind regards,
Ivan Kanakarakis on behalf of the incident-response team
Attendees
John, Scott, Giuseppe, Ivan, Hannah, Ori, Johan, Chris
0 - Agenda bash
1 - Administrivia
Suggestion made that announcements of security issues should include some indication of severity and whether there is indication these have been found 'in the wild'. Also some additional guidance on what to expect with regards to remediation (what are deployers expected to do, what level of effort can people expect to encounter) would be helpful. The team will put together an FAQ on how security vulnerabilities are handled and include a log of known vulnerabilities (once those vulnerabilities and their remediations are public).
2 - GitHub review
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)
No update
b. Satosa - https://github.com/IdentityPython/SATOSA
c. pySAML2 - https://github.com/IdentityPython/pysaml2
Nothing major through the holiday, only some minor fixes for the tests. Ivan wants to reorganize the code a bit to clearly separate the operations that work on the XML document representation from those that work on an object representation of the XML data.
d. pyFF - https://github.com/IdentityPython/pyFF
No update
3 - Normalizing idpy projects (see email from Ivan, "Subject: [idpy-discuss] Normalizing across all projects”, 10 November 2020)
a. Extending the invitation to djangosaml2 - status?
Will add to the agenda for our next call
4 - AOB
Thanks! Heather
Tuesday, 12 January 2021, 14:00 UTC
BlueJeans: https://bluejeans.com/444837426?src=join_info
Agenda:
0 - Agenda bash
1 - Administrivia
2 - GitHub review
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)
b. Satosa - https://github.com/IdentityPython/SATOSA
c. pySAML2 - https://github.com/IdentityPython/pysaml2
d. pyFF - https://github.com/IdentityPython/pyFF
3 - Normalizing idpy projects (see email from Ivan, "Subject: [idpy-discuss] Normalizing across all projects”, 10 November 2020)
a. Extending the invitation to djangosaml2 - status?
4 - AOB
Thanks! Heather
Hello all,
Thank you for filling out the doodle poll to determine when we should have our calls! We’ll be using the same time slot (14:00 UTC for now, subject to change during those pesky Daylight Saving Time changes).
If the Google Gods are being cooperative today, you should be able to add this calendar invitation via the following link:
https://calendar.google.com/event?action=TEMPLATE&tmeid=NXJmNXZ0dG9kbWNkcTd…
Our first call for 2021 will be next week on Tuesday, 12 January 2021.
Thanks! Heather
Hola a todos!
As discussed on the last call, we’re going ahead and canceling the call for 22 December. THAT SAID! Please fill out the doodle poll so I can get the 2021 series of calls on the calendar. Right now, only four people have responded. I you have an opinion about when the calls should happen, please fill out the poll:
https://doodle.com/poll/vtdidxvpstvzb8vc?utm_source=poll&utm_medium=link
Thanks! Heather
Hi!
I had a question from Torsten Lodderstedt, who some of you know, on whether our OIDC/OAuth2 implementation
supported all the features that the FAPI 2 baseline stipulates.
Turns out we do support most of them (PKCE, PAR and the new iss authorisation response parameter).
What we don’t have support for is RAR (https://tools.ietf.org/html/draft-ietf-oauth-rar-03 <https://tools.ietf.org/html/draft-ietf-oauth-rar-03>).
The new session/grant subsystem has hooks for it but we’re lacking the part that actually can use it.
I don’t think that GEANT has any use for RAR but I may be wrong. If so I’d like someone to tell me.
The larger question is of course: should we care what FAPI/FAPI 2 demands ?
Or ultimately, our customer what do they want ?
Anyone knows who are customers are ?
Anyone with an idea as to who we would like to be our customers ? Except for the HigherEd and Research ?
— Roland
Can anything be sadder than work left unfinished? Yes, work never begun. -Christina Rossetti, poet (5 Dec 1830-1894)
Hello idpy developers!
ON the last call, the group suggested sending out a poll oto see if our current call time slot works for 2021, or if there might be a better one for the participants. I’ve put together a poll to see if we can answer that question. When you fill out the poll, please consider whether you can make that time slot every other week, and not just that one day.
https://doodle.com/poll/vtdidxvpstvzb8vc?utm_source=poll&utm_medium=link
If you could fill that out before you head off for any vacations you might be taking this year, I would greatly appreciate it!
Thanks! Heather
