July 9, 2015 OpenID Executive Committee Call Minutes Present: Don Thibeau, Executive Director Mike Jones John Bradley Adam Dawes George Fletcher Nat Sakimura
Visitors: John Ehrig, Global Inventures Tom Smedinghoff, Edwards Wildman Palmer LLP Mike Leszcz, Open Identity Exchange (OIX) 1. Connect WG and RP Test Suite Update Decisions on how to proceed on simplifying the logout spec were made. The RP certification test suite testing is under way. 2. Self-Certification Pricing The need and agreement to nominally charge ($200) for certification to cover costs was re-confirmed. The short term forecast for the number of certifications is expected to stay in the dozens. Our IT vendor Delineate (aka Refresh Media) will be providing a quote to enable certification invoicing on the OIDF website and will rolled out in the September time frame. 3. Next EC Call The next EC will be rescheduled for September 3rd to accommodate vacation conflicts 4. Formation of a Liaison Committee The EC unanimously agreed to recommend to the board approving the formation of a liaison committee and to assign the responsibility and authority to the liaison committee for communications to the Foundation's liaisons as proposed: RESOLUTION L. Formation of liaison committee and delegation of power to the committee WHEREAS the OpenID Foundation board recognises the importance of the liaison communications being made in a timely fashion, now BE IT RESOLVED that (1) the liaison committee (LC) to be created with its member being the liaison officers and EC members; (2) the LC to be given a delegation of power as to the creation and authorization of the liaison communications to the liaison organisation; (3) the LC's decision shall be by the simple majority of the LC members either in a quorate meeting or the majority of the entire LC expressed by the written consent by the LC members; (4) The LC shall report the liaison communication made in the next board meeting after the communication was made. 5. Certificate for openid.net The issue is that browsers are trying to depreciate end certificates with SHA1 signatures. Chrome shows our cert as invalid and MS will as well by January 2017 or before. Currently certificates that expire in more than 12 months show up as insecure in Chrome. Our current cert from Verisign is signed with SHA1 and expires in August 2018. Our web site is not actually insecure but the browser warnings are going to ramp up. The only reason to still have a SHA1 cert is to support XP pre SP3 and those people are now going to not work many places on the net as people update certs. Given that our cert expires in 2018, we are going to need to replace it sooner than that; the question is when. Symantec may be able to provide guidance on how we should update the certificate. Inventures got the cert last year. 6. Certification Guidelines Adam offered that we should be clear about precedence if trade-offs need to be made . With the exception of point #1, adoption being most crucial, he was not sure we have consensus on the balance but will leave it to later discussion about how to balance these when they conflict. The EC unanimously agreed to recommend to the board approving the certification guidelines as revised and presented.
July 9, 2015 OpenID Executive Committee Call Minutes.docx
Description: July 9, 2015 OpenID Executive Committee Call Minutes.docx
_______________________________________________ board mailing list bo...@lists.openid.net http://lists.openid.net/mailman/listinfo/openid-board