[OpenID board] October 29, 2014 OpenID Board Meeting Minutes

Mike Jones Michael.Jones at microsoft.com
Wed Nov 12 20:51:43 UTC 2014

October 29, 2014 OpenID Board Meeting Minutes

Present in Person:
Don Thibeau, Executive Director
Nat Sakimura
John Bradley
George Fletcher
Pamela Dingle
Adam Dawes
Mike Jones
Tony Nadalin
Raj Mata
Lovesh Chhabra (representing Yahoo)
Debbie Bucci

Present on the Phone:
Torsten Lodderstedt
Peter Graham

Paul Agbabian

John Ehrig, Global Inventures
Tom Smedinghoff, Edwards Wildman Palmer (on the phone)
Mike Leszcz, OIX

1.      Local Chapters Policy Proposal
The proposed local chapters policy has been in circulation for over a year.  It was changed recently to restrict the ability to direct funds to local chapters to sustaining members and to restrict the amount that can be directed to 50% of the dues. Tony asked why we aren't providing more incentive for local chapters to join.  He proposed a 75/25 split.  John, as treasurer spoke up for 50/50.  A compromise at 60/40 was suggested.  The proposal was unanimous approved, with up to 60% of funds being eligible for directed funding back to the local chapter.

2.      Liaison Report
We submitted a liaison statement to ISO SC27 WG5 and the statement was accepted.  We expect to receive ISO documents to review as a result.  We can let our members know that this gives them an opportunity to review ISO documents at no cost, if they're interested in doing so.  We have a category C liaison.

[Debbie Bucci joined the meeting at this point]

The ITU-T has accepted our liaison request for categories A4 and A5.  We received a liaison statement from Martin Euchner of the ITU.

Mike reported that Joni Brennan and he had a Kantara liaison meeting a few months ago.  They discussed the possibility of collaborations around certification but didn't determine a fruitful collaboration opportunity at that time.

3.      Account Chooser Working Group Status
The working group is working towards getting to Implementer's Drafts of the specification.  Pamela Dingle is actively merging several spec versions.  A few updates have been done to the production deployment.

Symantec is taking over issuing the certifications for the Account Chooser sites.  Tony requested that the certificates be extended validation (EV) certificates.  Mike also requested that only EV certs be considered, due to the verification of the identity of the party requesting the certificate that is done.

Adam reported that were discussions with browser vendors and W3C security group about standardizing criteria for bootstrapping (populating) accounts in the account chooser.  Adam will inquire about establishing a liaison relationship with the W3C.

The board discussed what incentives enterprises have to bootstrap their accounts into Account Chooser.  The working group will take up writing down and publicizing those incentives.

4.      OpenID Connect Working Group Status
Votes are under way for approval of the OpenID Connect Errata and the OpenID 2.0 Migration specification.  The working group is actively working on creating self-certification conformance criteria and working with Roland Hedberg and Umeå University on creating testing tools for those criteria.

5.      Native Applications Working Group Status
Several in-person working group meetings have been held recently and there has been a lot of input on the specifications.  They have determined that there are significant security and inter-process communication mechanism differences in the different platforms and different criteria for registering applications.  The working group is trying to take these differences into account.  They are still a ways off from having Implementer's Drafts.

6.      Mobile OpenID Connect Profile Working Group Status
The working group is holding regular phone meetings.  An initial submission was made by Deutsche Telekom.  There are currently three work areas:  Discovery, Client Registration, and Authentication, with specifications for each.  There is also a developer experience document that Tim Bray created.  They are discussing several key topics, including MSISDN confidentiality, whether to have a single virtual IdP (this idea was rejected), and issues raised by telephone number portability.

7.      HEART Working Group Status
The Health Relationship Trust (HEART) working group was approved.  The proposed co-chairs are Eve Maler and Debbie Bucci.  They are currently reaching out to potential members with plans for a launch in January.

8.      Board Representatives
Debbie Bucci has joined the board representing the US Department of Health and Human Services, Office of the National Coordinator for Health Information Technology (ONC).  Symantec is transitioning its board representation from Paul Agbabian to Roger Casals.

9.      Financial and Membership Update
Our finances are in good shape.  We continue receiving new membership inquiries.  We have money budgeted for the legal preparations for self-certification.  Some additional funding may be needed to cover some of these expenses, and some members have volunteered to provide directed funding for this.

10.   OpenID Connect Self-Certification Program
We are actively working on the technical and legal basis for self-certification of OpenID Connect implementations.  Google, Microsoft, Ping Identity, and Salesforce have volunteered to be the initial parties doing certifications and Symantec has volunteered to host the certification testing platform.  We are working with Roland Hedberg and Umeå University on developing and operating testing tools to use for testing the conformance criteria.  Our stretch goal is to announce completed certifications and opening of the self-certification program to additional parties at the RSA conference in April next year.

We reviewed the workflow outlining the responsibilities of all parties.  We have intentionally deferred discussions of costs and pricing of certification during this initial phase.  For the initial phase, we'll expect companies obtaining certifications to be members of both the OIDF and OIX.  We need to develop our pricing and participation model to announce at RSA.  We discussed limiting our legal risks by means of appropriate contract provisions.  One key to limiting our liability is to make the certification materials public.  We discussed the need to maintain the integrity of the submitted self-certification documents.  We discussed producing a trust mark for the certification program.  Tony asked whether the certification mark would be transferrable.  We assumed we would not allow direct transfer but that people can make true statements such as "we are using software that was certified".  The board agreed that we will collect and publicly publish evidence that the party requesting certification passed the conformance tests.  However we will not make any legal statements that we are validating the submitted evidence.

Pam asked how to best facilitate certifications by open source relying parties, where there may not be an organizational owner of the software.

The board requests that the OpenID Connect Working Group and the Executive Committee produce concrete proposals for all of these topics.

11.   Next Meeting
The next scheduled face-to-face board meeting is at the RSA conference.  Tony requested that we schedule additional meetings before that, in light of the need for decisions on the certification business issues before RSA.  Don agreed to propose additional meeting dates.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-board/attachments/20141112/f84744aa/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: October 29, 2014 OpenID Board Meeting Minutes.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 25329 bytes
Desc: October 29, 2014 OpenID Board Meeting Minutes.docx
URL: <http://lists.openid.net/pipermail/openid-board/attachments/20141112/f84744aa/attachment-0001.docx>

More information about the board mailing list