None

As described in the Statues of IdentityPython [1], roughly half the seats for the idpy Board are opening for nominations. The following members have completed their one-year terms: Ivan Kanakarakis (current chair) Mike Jones Chris Whalen Roland Hedberg (at-large) They are all eligible to be nominated again for a new board term. The term for these seats is now shifting to a two-year cycle, such that half the board will be up for nomination each year. Participants on the idpy-dev list act as the nominating committee for the idpy board. If you would like to nominate someone (or self-nominate) please contact me directly no later than 24 January 2020. b. March 23 Hackathon/Workshop in Stockholm Also, there will be a (small) f2f meeting at TIIME in Vienna.Will talk about how things are now, and where the platforms might go. Suggest having a workshop style meeting on the 23rd. It is a more specific audience given they will be there about eduGAIN. Will build the list of things to work on during the TIIME meeting. Will have to allow for some flexibility on site. In general, topics will definitely include Satosa, pySAML2, pyFF, OIDC libraries Next steps: Heather to set up registration, send an announcement, and start a wiki page of topics. 2. OIDC Federation update a. Second Implementer’s Draft of OpenID Connect Federation Specification Approved <https://openid.net/2020/01/08/second-implementers-draft-of-openid-connect-federation-specification-approved/> No one voted against (yay!). There were some discussions at TechEx on things to add to the specification; that will happen now that this version fo the draft is approved. There are plans for several interop workshops this year; could possibly run this in parallel to the idpy workshop, or some other time during the Town Hall. There will also be interop testing during TNC20. Still in discussion re: NORDUnet and/or IIW. There are currently 3 implementations ‘in the wild’. b. Repository status Waiting to hear from Mike Jones (OIDF) on whether they are okay with moving the repositories out from under OIDF. 3. GitHub review a. OIDC implementations (See above) b. Satosa - https://github.com/IdentityPython/SATOSA <https://github.com/IdentityPython/SATOSA> Ivan will be making a new release for Satosa to account for the new pySAML2 release (to include a hint for the dependencies). There will also be an update to the version of the LinkedIn API that we use It should be compatible to the previous one. Also an update to allow the proxy to be a URL path. See: https://github.com/IdentityPython/SATOSA/pull/279 <https://github.com/IdentityPython/SATOSA/pull/279> https://github.com/IdentityPython/SATOSA/pull/280 <https://github.com/IdentityPython/SATOSA/pull/280> https://github.com/IdentityPython/SATOSA/issues/179 <https://github.com/IdentityPython/SATOSA/issues/179> Next on the list: work on logging. Need to make some change there, and this will eventually happen across all libraries. Ivan to coordinate with Hanna Sebuliba and Scott Koranda offline. c. pySAML2 - https://github.com/IdentityPython/pysaml2 <https://github.com/IdentityPython/pysaml2> There is a new release for pySAML2 that includes a security fix. See email from Ivan on 13 January 2020, Subject " [Idpy-discuss] PySaml2 v5.0.0 - Security release" Alexey Sintsov and Yuri Goltsev from HERE Technologies reached out and reported a XML Signature Wrapping (XSW) vulnerability. The issue affects responses with signed assertions. PySaml2 can be tricked to think that an assertion had been signed and use the assertion information, when in reality the Signature points to another part of the xml document that is controlled by another party. The issue was assigned CVE-2020-5390 and is now fixed in the latest pysaml2 release. The relevant code commit that fixes is the issue: https://github.com/IdentityPython/pysaml2/commit/5e9d5acbcd8ae45c4e736ac521… <https://github.com/IdentityPython/pysaml2/commit/5e9d5acbcd8ae45c4e736ac521fd2df5b1c62e25> Changes include an introduction of a new test file that tests handling of unknown elements. The vulnerable use cases are when you have signed assertions but unsigned responses. Note: we should probably revise the incident handling procedure. It needs to be simplified (it currently has Ivan talking to himself at different stages). We should also discuss how to announce these security events. Should we warn the community that a security vulnerability has been found, and tell them when we’re going to do the announcement? Yes. Apart from the security fixes, there are a handful of other changes. They are breaking changes (thus the new major number). In the future, security changes and breaking changes should not be included in the same release if possible. In this case, though, the security change is itself something of a breaking change, and it plus the other (small) breaking change were not too major a set of changes. Reminder that we are not back porting security fixes. If others want to work on that, they can create branches. d. pyFF - https://github.com/IdentityPython/pyFF <https://github.com/IdentityPython/pyFF> Heather will ask Leif to send out an update. 4. AOB Our next call is 21 January 2020; note that the second half overlaps the eduGAIN Baseline Maturity call, so people may drop off early.