[Openid-specs-ab] Spec Call Notes 14-Dec-20

Mike Jones Michael.Jones at microsoft.com
Tue Dec 15 00:23:16 UTC 2020


Spec Call Notes 14-Dec-20

Mike Jones
Nat Sakimura
John Bradley
Tony Nadalin
Kristina Yasuda
Brian Campbell
Adam Lemmon
Tim Cappalli
Kim Cameron
Edmund Jay
Tom Jones
Tobias Looker

Scope of Initial SIOP V2 Work
              Discussion brought about in part by contributed SIOP V2 Draft
              https://bitbucket.org/openid/connect/src/master/openid-connect-self-issued-v2-1_0.md
              Also related to the SIOP Requirements draft
              https://bitbucket.org/openid/connect/src/master/SIOP/siop-requirements.md

Agreement on areas that are in scope:
              Ability to have optional level of indirection to get self-issued keys
                           Optionally addressing keys by reference rather than by value
                           Ability to rotate keys for the same subject
              RP Registration
                           Mike: The RP is going to have to be able to say things to the OP about what it supports
                                         Such as cryptographic algorithms and possibly identifier types
                           Tobias agreed
                           Tobias suggested that we use request-bound client registry - to allow for a level of indirection
              OP Discovery
                           Mike: The OP is going to have to be able to say things to the RP about what it supports
                           The one-size-fits-all approach in SIOP V1 didn't hold up well over time
                           Tom pointed out that WebID has a metadata endpoint
                                         He said that we could still get changes into that if we act quickly
                           Tobias: Some SIOP providers that are PWAs could still use .well-known based discovery

May be an implementation requirement for some but not others:
              One of the ways to optionally address keys by reference is a DID

Scopes of work that may apply more broadly than SIOP:
              Account recovery - when an ID becomes invalid
                           John notes that a similar thing is being proposed in FIDO2
                           John called it a subject proof mechanism
                           John said that's easier if you still have access to the old subject
                                         The new subject needs to be signed by the old subject
                           Mike said that this is related to the OpenID 2.0 to OpenID Connect Migrating Spec
                                         That was separable work from the core protocol
                                         One could imagine multiple such mechanisms trusted by RPs
                           John and Mike said that this is related to the MODRNA account porting work
                           John said that rotating keys is separate than rotating identifiers
                           This is bigger than just SIOP as it also applies to third-party issued identities

              Portable Identifiers
                           Could apply to both third party OPs and self-issued OPs
                           John agrees that 3rd party versus self-issued is an artificial distinction
                           Tony has an issue with understanding what portable identifiers means
                                         Tobias suggested that we talk about cryptographically verified identifiers
                                         Kim suggested that we call them domain-free identifiers
                           Like account migration, this is bigger than just self-issued
                           John likes visualizing free-range identifiers (like chickens)
                           Kim said that they're not scoped to walled gardens
                                         Mike said that he misses his i-names
                           Kim said that they would have to be cryptographically provable
                           John said that the key distinction is whether the individual or the IdP controls the key material

Related Discussions
              Definitions
                           Tobias asserted that he's increasingly viewing SIOP as an umbrella term for additional extensions
                           Kristina said that she views SIOP as OPs that are not ASs

              Downstream Authentication
                           Tony stated that he has an issue with downstream authentication
                                         He thought that it wasn't necessarily in scope for Connect
                           John asked Tony to clarify
                           Tony said that there's a difference between proving that you own an identity and using it to authenticate
                                         Mike said that proof of ownership is a precondition for authentication but doesn't imply it

              Claims Binding
                           Nat said that we should discuss binding claims to presenters
                                         John agreed with that
                           Nat said that in the Claims Aggregation draft, the issuer of the claims can include the subject identifier
                                         Tom said that that doesn't work for his use cases
                                         Nat said that this is one way to do it
                                         Tobias agreed that there are multiple solution options, as did Tony
                           Tobias said that claims binding includes both the process of establishing the binding and how they are presented and authenticated
                                         Tony said that he would stay away from authenticating

RP-Initiated Login Features
              We ran out of time to discuss this

Events
              We ran out of time to discuss this

External Organizations
              We ran out of time to discuss this

Next Call
              The next call is on Thursday, December 17th at 7am Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20201215/b7d6828e/attachment-0001.html>


More information about the Openid-specs-ab mailing list