[Openid-specs-ab] Spec Call Notes 26-Apr-21

Mike Jones Michael.Jones at microsoft.com
Tue Apr 27 00:15:40 UTC 2021


Spec Call Notes 26-Apr-21

John Bradley
Mike Jones
Tom Jones
Kristina Yasuda
Tim Cappalli
Adam Lemmon
Dmitri Zagidulin
David Waite (DW)
Vittorio Bertocci
Edmund Jay
Jeremie Miller
Tobias Looker
Nat Sakimura

Learnings from IIW
              We had a poll among three choices at the SIOP session
                           10 for using individual claims for W3C VC objects
                           0 for using aggregated/distributed claims syntax
                           8 for using a different token type for them
              As an aside, Tom reported on DIF work using W3C VC objects
                           Kristina suggested that we also harmonize with the DIF work on the topic
                           We proposed claim names at https://openid.bitbucket.io/connect/jwt-claims-for-vc-objects-1_0.html
                           We could register those soon, once we have working group consensus to do so
              Vittorio thought that DW's session about logout without cookies was useful
                           He said that while DW's 4-year-old contribution was performant, it could be simpler and less performant
                           Mike said that distributed state management is hard
                           DW said that in the face of privacy, all you can have is identifiers and revocation
                           There could be a split between message delivery mechanisms and APIs for doing logout
                           DW said that a simple thing would be to put a squid proxy in front of the OP
                           We would need an API that HTTP caching works with
                                         For instance, a revocation yes/no endpoint
                           DW wouldn't recommend a distributed systems approach now because of the privacy issues with it
                                         He doesn't want revocation be the point at which I lose privacy
                                         He said that communication between the OP and individual RPs is perfect
                           DW said that there's a distinction between logout and an assertion that the RP needs new tokens
              Vittorio said that there was a good discussion with Sam Goto
                           Notes from the discussion: https://docs.google.com/document/d/1UsrQ6lgImgYfgR_mCtS-MWT9ZBR0ZbkQGZP3oMzTDP4/edit
                           They discussed different logout mechanisms in use, including image tags, iFrames, postMessage, etc.
                           Sam said that he could image carving out an exception for image tags, since they have limited capabilities
                                         iFrames are much tougher to control
                           Mike pointed out that you can't do multi-level logout with iFrames
                                         Vittorio said he understand that, as Auth0 operates intermediaries
                           But Vittorio also said that if we can limit the breakage, that's better than breaking everything
                           Vittorio said that the scenarios they're working on currently are about when you don't have third-party cookies
                                         https://github.com/IDBrowserUseCases/docs
              Use Cases for SIOP Session
                           Vittorio recalled a use case on using VCs for alumni to avoid licensing costs
                           Tony Nadalin had talked about using SIOP to present Mobile Driver's Licenses (mDL)
                                         This avoids "calling home" at presentation time
                           Vittorio said that some use CIBA for this
                           There wasn't overwhelming demand for these use cases
                           Kristina said that Japanese universities are often merging, which could make issuance difficult
                           Tobias said that there's a number of concepts that have been lumped together
                                         Having more precision in our conversations would be helpful
                                         Kristina said that SIOP means something very specific
                                         She said that use of VC objects is another thing
                                         And portable identifiers are another thing
                                         SIOP means an IdP that you control
                                         Vittorio said that he thinks that some people don't understand that
                                         It's not a general bridge between OpenID Connect and decentralized identity
              Nat and Edmund led a discussion on claims aggregation
                           The presentation used was https://docs.google.com/presentation/d/1w-rmwZoLiFWczJ4chXuxhY0OsgHQmlIimS2TNlce4UU/edit?usp=sharing
                           They proposed ways of enabling Claims Providers to be practically used
                           Kristina reported on the use of signed sets of claims
                           They discussed whether it's OK to use access tokens at both the UserInfo Endpoint and other endpoints
                           On the call, we had a discussion on use cases for distributed and aggregated claims
                                         Vittorio pointed out the Azure AD large groups use case
                           Nat said that the primary use case for distributed claims is access across different claims providers
                           Tom talked about the need for using QR codes and size limitations
                                         Nat said that when we were designing OpenID Connect, we were very conscious of size limitations
              Tom said that the need for Covid credentials isn't abstract
                           Vittorio said that at IIW, many people were complaining that their Covid credential proposals were being ignored
                           Tom reported that the EU parliament was meeting about Covid credentials tomorrow
                           Vittorio agreed that the IATA Covid credential proposal is solid
              Tom posted SIOP chooser slides with minutes from IIW
              https://docs.google.com/presentation/d/1OaMecHecTUexv1skJZoYzJoHKYH8H03REFpFstLRjPg/edit?ts=6087487b#slide=id.gd2c45a9dcd_2_75

Modified SIOP Special Call Schedule
              We will be alternating Pacific-friendly and Europe-friendly calls every two weeks
              The next Europe-Friendly call will be Tuesday, April 27 at 7am Pacific Time
                       https://global.gotomeeting.com/join/191527645
                           Nat said that that timeslot may conflict with the MODRNA call
              We'll discuss the preferred call schedule during the call in 14 hours
                           Mike said that the other possibility is alternating with the existing Pacific-friendly Connect call time
                           This would next be Thursday, May 6th at 7am Pacific Time

Open Issues
              https://bitbucket.org/openid/connect/issues?status=new&status=open
              We ran out of time to get to this

Next Calls
              The next regular Connect call is scheduled for Thursday, April 29nd, 2021 at 7am Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210427/92011474/attachment-0001.html>


More information about the Openid-specs-ab mailing list