From Michael.Jones at microsoft.com Sat Apr 6 18:03:55 2019 From: Michael.Jones at microsoft.com (Mike Jones) Date: Sat, 6 Apr 2019 18:03:55 +0000 Subject: [OpenID board] February 13, 2019 Executive Committee Call Minutes Message-ID: This note corrects the date in these minutes from 2018 to 2019. From: Mike Jones Sent: Wednesday, February 20, 2019 4:50 PM To: 'board at openid.net' Subject: February 13, 2018 Executive Committee Call Minutes February 13, 2019 Executive Committee Call Minutes Present: Nat Sakimura Mike Jones John Bradley Don Thibeau, Executive Director Adam Dawes George Fletcher Absent: (none) Visitors: Mike Leszcz, OpenID Foundation Staff Tom Smedinghoff, Locke Lord LLP 1. OpenID Certification Program Roadmap There have been steady improvements made to the Certification Roadmap deck. This includes proposed FAPI pricing and proposed updated Connect certification pricing. In the life of the certification program, we've only had one complaint about the certification price with hundreds participating. We have accomplished our adoption goals and defrayed some of our costs. We should be able to move the existing price points up a bit now without causing resistance to help more adequately cover our costs, now that the value of the program is well established. The new member price would be $500 and the non-member price $2500. We plan to announce general availability of FAPI certification on April 1st. (Many banks may wait until the last minute before actually certifying.) Nat asked whether the new proposed pricing will cover our costs. Don replied that it will be more likely for the updated prices to do so. We can also evaluate how we're doing later in the year, after the new prices have been in effect. We plan for the new prices to be announced soon and put into place on June 1st. The EC unanimously recommends that the new prices be adopted. 2. Libraries Program Roadmap Our role will be as a librarian and to promote curation of the libraries. We would not assume liability for usage of them. The foundation would not fund development or promotion of the libraries out of our general funds. We plan to operate the program without cost to use the libraries in order to encourage adoption. We plan to cover our costs through directed funding. The foundation would be the owner of the code. This is the same model as for AppAuth. John pointed out that these things start out with good intentions but that it's also important to make sure that ongoing maintenance occurs on an ongoing basis. Mike Jones pointed out that these libraries would be projects of specific working groups. Adam wants us to signal that these libraries are high quality to encourage consolidation, where applicable. Don will update the libraries roadmap, per our discussions today, in time for our meeting at RSA. Nat suggested that we look at how the Linux Foundation and Apache manage software projects, as points of comparison. 3. OpenID Connect Federation Initiative OpenID Connect Federation is an initiative of the foundation this year. We want to have a solid spec mid-year, resulting in early implementations and interop testing. Roland Hedberg proposed to present on the federation work at three conferences for us: EIC, TNC, and Internet2. The EC unanimously approved this. Mike Jones plans to join Roland at these conferences, representing the OpenID Connect working group. We also unanimously approved Roland's proposal for us to fund some of his time at a discounted rate while he's working in the federation specification. The EC notes that paying for spec development is not our normal practice, as this typically occurs on a volunteer basis. However, we decided to make an exception in this case, as a transition step. 4. JWTConnect Libraries We intend to fund contractors working on the JWTConnect libraries using directed funding. George asked about how we maintain thought leadership and expertise in the areas of the libraries. Adam believes that experts from the working group should be able participate and contribute their expertise. George stressed that we focus on succession, to make sure that there is continuity as developers come and go from the projects. Nat requested that we do a study of how other foundations successfully manage software projects. Don will take lead with help from Adam. Don plans to have preliminary results in time for our in-person meeting at RSA. 5. Account Chooser Working Group Adam pointed out that there hasn't been much progress on Account Chooser in the last year. Symantec plans to stop hosting the accounchooser.com domain. Google plans to stop hosting the Account Chooser code. A deprecation would be announced. During the deprecation period, Google would take over hosting from Symantec. Mike Jones asked whether we have any data on how many people are using it. Adam said that we don't, by design - for privacy reasons. Adam plans to propose this plan to the Account Chooser working group. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: February 13, 2019 Executive Committee Call Minutes.docx Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document Size: 31838 bytes Desc: February 13, 2019 Executive Committee Call Minutes.docx URL: From Michael.Jones at microsoft.com Mon Apr 29 23:21:10 2019 From: Michael.Jones at microsoft.com (Mike Jones) Date: Mon, 29 Apr 2019 23:21:10 +0000 Subject: [OpenID board] April 4, 2019 Executive Committee Call Minutes Message-ID: April 4, 2019 Executive Committee Call Minutes Present: Nat Sakimura Mike Jones John Bradley George Fletcher Don Thibeau, Executive Director Absent: Adam Dawes Visitors: Takehisa Shibata, KDDI Tom Smedinghoff, Locke Lord LLP 1. Membership Update Akamai (which acquired Janrain) has joined the board and will be represented by John Summers. Ping Identity's new board representative is Wesley Dunnington. 2. Open Banking Implementation Entity OBIE decided not to follow through on their handshake agreement to pre-pay for 15 certifications. We are disappointed that the proposed agreement fell through. Don has asked them to confirm that they will deprecate their test suite in September. He also asked them to confirm that the CMA 9 banks will certify at least once a year. They plan to send their members to our certification suite going forward. 3. Certification Update Financial-grade API (FAPI) Read/Write OP certification launched on April 1st. We already have FAPI certifications from ForgeRock and Authlete. There is keen interest by other vendors. We don't know when we'll receive the first certifications from banks. There are no FAPI RP certification instructions yet, but they are expected later this month. FAPI RP certification will launch in pilot mode. Joseph Heenan is working on FAPI CIBA certification code. There are also several developments for OpenID Connect certification. The Form Post Response Mode profiles have reached production status. The Third Party Initiated Login profiles are in pilot mode. And the new Logout tests are live at new-op.certification.openid.net and are being tested by early testers. As expected, having these tests is raising some questions about the intended semantics of some features of the logout specs. This is valuable feedback before these specifications become final. 4. FAPI Standardization Update The FAPI working group is now having three calls every two weeks to accelerate progress, including working on CIBA and diligently tracking issues. The MODRNA CIBA Implementer's Draft is generic. There are profiles for mobile operators and Financial-grade APIs being defined. The FAPI CIBA profile tightens a number of things - possibly enabling formal verification. 5. Libraries Program Update Don reports that Adam Dawes isn't sure when his proposed directed funding for libraries will come through. George talked about possible library options. We could allow people to update their libraries to the OpenID GitHub. We currently have people contribute their code to working groups, which provides a clean IPR container. Even beyond that, the Foundation could designate some libraries as being high-quality and well-resourced, when appropriate. We don't have policies in place for how many maintainers contributed libraries need to have or policies for how to add and remove maintainers. For instance, a former AppAuth maintainer can no longer maintain one of the projects and it's not clear how to choose successors. Mike repeated that our current procedures are for people to contribute code to working groups and it's up to the working group whether to work on it. Mike stated that he's against us hosting random code. George agreed. Nat reminded us that there's a standing deliverable for Don to create a report on how other organizations manage libraries. He plans to deliver that report before our board meeting in Mountain View. Mike stated that it's a working group decision right now who to add and remove as maintainers and whether to start or stop working on a library. For instance, George could propose a new AppAuth maintainer that he has in mind to the Connect working group. 6. Liaison Update The Financial Data Exchange (FDX) and the OpenID Foundation have announced that they are collaborating. See https://openid.net/2019/04/02/financial-data-exchange-openid-foundation-take-step-towards-global-standard-for-financial-data-sharing/. FDX is supportive of the FAPI standard and test suite. Expect a similar announcement with the Financial Data and Technology Association (FDATA) in the next few weeks. Project Verify is a joint venture by 4 major telcos in the US. We are working on a liaison relationship with them. Michael Engan is a lead architect of Project Verify. He and Bjorn Hjelm are advocates for them using OpenID Foundation standards. Don is in communication with entities in Canada, Australia, and New Zealand as well. 7. Recruitment Effort Don is preparing a recruitment campaign targeted at those who have certified. It will communicate actionable certification and foundation information for their benefit, including letting them know about FAPI certification and that Connect certification prices will go up in June. 8. Upcoming Events There's an OpenID Workshop the day before IIW and a board meeting during IIW. There's an OpenID Workshop and board meeting at EIC. The entire certification team will be at EIC, so this is a unique opportunity for board members and other active members to meet with our certification engineers. There's an OpenID Workshop and board meeting at Identiverse. 9. Decentralized Identity News Nat reports that Microsoft released Open Source using the OpenID Connect Self-Issued protocol for DID authorization. 10. French, Polish, and Czech Open Banking and FAPI John met with STET (the French open banking entity) last week and described FAPI and CIBA to them and compared them to their existing approaches. He'll be continuing the conversation. The FAPI working group is analyzing the Polish and Czech open banking APIs, which are also different than FAPI. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: April 4, 2019 Executive Committee Call Minutes.docx Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document Size: 33244 bytes Desc: April 4, 2019 Executive Committee Call Minutes.docx URL: