[OpenID board] March 2, 2016 OpenID Board Meeting Minutes

Mike Jones Michael.Jones at microsoft.com
Fri Apr 29 22:51:02 UTC 2016

March 2, 2016 OpenID Board Meeting Minutes

Don Thibeau, Executive Director
Mike Jones
Nat Sakimura
Brian Berliner
Dale Olds
Adam Dawes
Pamela Dingle
Lydia Varmazis
Tony Nadalin

Present on the Phone:
John Bradley
George Fletcher
Debbie Bucci

Tracy Hulver
Prateek Mishra

Tom Smedinghoff, Locke Lord LLP
Bjorn Hjelm, Verizon
Adam Cooper, UK Cabinet Office
Mike Leszcz, Open Identity Exchange (on the phone)

1.     New Board Members
Dale Olds of VMWare was elected to the board as the new corporate representative.  Prateek Mishra is now on the board representing Oracle.  Bjorn Hjelm is representing Verizon today.  Yahoo is no longer a member.

2.     Election of Officers
The board unanimously selected the existing executive committee members to serve for another year.  They are:  Nat Sakimura – Chairman, Adam Dawes – Vice-Chairman, Michael Jones – Secretary, John Bradley – Treasurer, and George Fletcher – Developer Community Liaison.

[Pam Dingle joined the meeting at this point]

3.     Certification
New certifications keep coming in, including from parties that hadn’t previously worked with us.  We are now charging for certifications.  For instance, the University of Chicago is paying the $200 member fee and NEC is paying the $999 non-member fee.  Dale brought up that he knows an open source developer that doesn’t want to pay the $200.  Nat pointed out that developers can always choose to run the tests for free and make a public statement that their software can pass the certification tests, without choosing to actually certify.

Tom explained that people doing certifications are making a binding legal statement that their deployment passed the tests.  The trust comes from the entity making the legal statement – not from the OpenID Foundation.  Lydia pointed out that what we are selling is trust.  She suggested that when we update the certification statement, that we provide a place for the certifier to optionally provide a URL – for branding purposes.

Mike reminded the board that we have a fiduciary responsibility as board members to ensure that the foundation is solvent and for that reason, we decided from the beginning to operate the certification program on a break-even basis.  The $200 member price point is actually well below our real costs, which are about $500 per deployment at present.

4.     Web Site Improvements
Mike Jones reported on his and Don’s trip to Portland to see Janrain, who has started building OpenID Connect social log-in, and Darin Richardson, who is our on-line membership database tech support contractor. The certification program has changed the conversation with Janrain.  They understand that their costs to integrate with certified OpenID Providers will be substantially less because custom integrations won’t be needed.  Mike has invested considerable time working with Darin in updating and upgrading the membership database and other critical openid.net site functionality and on putting payment mechanisms in place for certifications.  Darin has informed Don and Mike that he wants to wind down his contracting relationship with the foundation after completing the current contract deliverables.  Darin said that he will remain available to us to answer questions, etc.  Don is working on Darin’s replacement and in the meantime Darin has provided Mike with credentials and passwords to the website.

5.     Foundation Legal Document Updates
Tom reported how we had discovered that the contribution agreement didn’t actually cover contributions of software, which are necessary for some working groups, such as Account Chooser and an optional value-add for others, such as OpenID Connect.  He reported that we deployed a new contribution license agreement document that now closes this loophole.

Tom is working on updating our foundation legal and policy documents, including our privacy policy.  We may consider adopting the US/EU privacy shield when it becomes available.

The goal is to produce a complete, integrated set of legal documents that work well together.  This will help prospective and existing members more easily understand them.  These updates will address feedback received from organizations considering membership, such as the feedback provided by Oracle.  The executive committee has a first draft of the revised documents to review.

[Tony Nadalin joined the meeting at this point]

6.     Motion Allowing Electronic Signatures
A motion was discussed that allows electronic signatures to be used whenever our documents ask for signatures.  Lydia asked whether we wanted to go all-electronic.  Tom replied that that wasn’t the current motion but the board was free to make that decision.  Tony wants to know what the costs to the foundation would be of having electronic signatures.  Nat said that using electronic signatures would be problematic for companies in Japan, such as NRI and KDDI. He stated that the notion of what constitutes a digital signature varies widely among the jurisdiction. For instance, he stated that DocuSign probably is not a valid digital signature in Japan. EU companies may have similar problems. Tom agreed.  Also, Adam asked if a company can opt-out from DocuSign as it would make it too easy for somebody to sign the agreement without proper authorization of the employer.

After the meeting, Lydia added “I want to chime in regarding some common misconceptions around digital signatures. DocuSign, EchoSign, etc. are facilitators of digitally signed documents, not digital signatures in of themselves. Digital signatures use an encrypted digital certificate to authenticate the identity of the signer. It requires the creation of the certificate and the actual signature in order to authenticate the signer. Most countries, including Japan accept digital signatures into law. Resistance to adoption of is often based on personal bias which often informs/drives company policy. Please read this PDF document that details Global Acceptance of Digital Signatures<https://acrobat.adobe.com/content/dam/doc-cloud/en/pdfs/adobe-global-guide-to-electronic-signature-law.pdf> in order to make an informed decision.”

Mike described that we already are allowing the use of DocuSign for contributor agreements but that people also have the option to send in signed paper copies.  Mike reported that people are voting with their feet and most are using DocuSign.  Tony said that some companies may not be able to use DocuSign.

Brian Berliner made the motion and Lydia seconded.  The motion carried with one abstention by Tony Nadalin.

7.     Open Source Contributions
Tony requested that we discuss the open source contributions to working groups.  He reminded us that individuals can contribute code to working groups but the Foundation is not in the business of sponsoring or endorsing particular open source projects.

8.     RISC Working Group Update
Adam reported that they have slowed the meeting cadence but are focusing on prototype deployments to learn from.  Several working group members are participating in the prototype.

9.     OpenID Connect Working Group Update
The working group is finishing the errata updates to the final specifications.  The primary update is to reference final IETF specifications, such as JWT [RFC 7519], instead of intermediate drafts.  The working group is working on progressing the logout specifications to Implementer’s Draft status.  Some technical reconciliation of session identifier descriptions is needed before that.

10.  Account Chooser Working Group Update
Progress has been slow in the last quarter.  They are incorporating phone number identifiers into Account Chooser.  They are coordinating with MODRNA.

11.  HEART Working Group Update
Debbie reported that three HEART drafts were approved as Implementer’s Drafts. The new focus is on interoperability documents for some healthcare resources.  Some terminology agreement is needed about consent and authorization.

12.  iGov Working Group Update
Adam Cooper reported that the first working group call was yesterday morning.  The working group is initially working on gathering use cases to motivate features that need to be in the profile.

13.  MODRNA Working Group Update
John reported that there were good meetings with the GSMA during Mobile World Congress.  The working group is planning to publish proposed Implementer’s Drafts shortly after a few updates.  There is interest by MODRNA and the GSMA in using Account Chooser.  They’re asking when Account Chooser will be updated to support these use cases.  Some of the MODRNA profile was adopted into Mobile Connect by the GSMA.  The GSMA announced at Mobile World Congress that there are over a million Mobile Connect identities.

14.  EAP Working Group Update
The Enhanced Authentication Profile (EAP) working group was approved.  A mailing list has been requested and working group pages will be created.  The work will enable integration with IETF Token Binding and FIDO authentication.  As related information, Tony reported that the new W3C Web Authentication working group will be meeting on Friday.  This is related but not overlapping work.

15.  Proposed Financial API Working Group
Nat has been talking to many financial players about developing an API to use OAuth and OpenID Connect in the financial sector.  Conversations have included Intuit, FS-ISAC, OFX, and the Open Data Initiative in the EU.  The goal is to no longer need to give your banking passwords out to financial management systems.  There is also forthcoming EU payment services directorate 2 legislation motivating this work.  The UK treasury department is very interested in this as well.  Don is working on a meeting in London with the Open Banking Working Group the Friday before EIC.  Nat expects to be sending the proposed charter to the specifications council sometime in April after doing more due diligence with potential financial sector participants.

16.  Liaison Updates
Tony’s FIDO liaison relationship has resulted in support for the EAP working group.  We sent comments to ISO/IEC JTC 1/SC 27/WG 5 SP PPBEA.  We sent a liaison statement to ISO/IEC 29151.  We need to create a liaison statement for the upcoming ISO meeting.  Nat will be presenting about OpenID Connect at the next ITU‑T meeting.  We need to send a general liaison statement to ITU-T.

Nat explained that OIDF has a class C liaison relationship, which allows us to send our standards to be turned to ISO/IEC standard with ISO numbers. The class C relationship, which means we have only a relationship to one WG, probably needs to upgraded to Class A after we start the Financial API WG, as we would have to open a liaison to ISO/TC68 as well. Tony pointed out that sending our standard to ISO to make it International Standards with ISO number would help many governments to adopt the standard.

Similarly, we have a A.4 and A.5 liaison organization recognition. with ITU-T. This means that we can send our standard to ITU-T to get X.xxxx Recommendation number. From the editing purposes, Tony said that SAML went through this process.

17.  Marketing Committee Update
Workshops are being planned in Santiago, Amsterdam, London, Mountain View, Munich, and New Orleans.  See the marketing committee call minutes for details.

18.  Identity 2020 Initiative
Our lunch speakers will be John Edge and Giles Watkins, who will be talking to us about Identity 2020 initiative, which is a joint private sector/United Nations initiative.  This is about working on how to give functioning legal identities to child refugees and stateless children.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-board/attachments/20160429/cfb62bb0/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: March 2, 2016 OpenID Board Meeting Minutes.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 28172 bytes
Desc: March 2, 2016 OpenID Board Meeting Minutes.docx
URL: <http://lists.openid.net/pipermail/openid-board/attachments/20160429/cfb62bb0/attachment-0001.docx>

More information about the board mailing list