[Openid-specs-ab] Spec Call Notes 29-Jul-21
Kristina Yasuda
Kristina.Yasuda at microsoft.com
Tue Aug 3 05:17:59 UTC 2021
Hi All,
Regarding "DHS Mobile Driver's License Response: We've sent the OpenID Foundation's response", OpenID Foundation's response has been accepted and published at https://www.regulations.gov/comment/DHS-2020-0028-0025.
Thank you very much to everyone who provided feedback and reviewed!
Kindest Regards,
Kristina
________________________________
From: Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> on behalf of Mike Jones via Openid-specs-ab <openid-specs-ab at lists.openid.net>
Sent: Thursday, July 29, 2021 9:26
To: openid-specs-ab at lists.openid.net <openid-specs-ab at lists.openid.net>
Cc: Mike Jones <Michael.Jones at microsoft.com>
Subject: [Openid-specs-ab] Spec Call Notes 29-Jul-21
Spec Call Notes 29-Jul-21
Mike Jones
John Bradley
Brian Campbell
David Waite (DW)
Tim Cappalli
David Chadwick
Pamela Dingle
Tom Jones
Pamela Dingle
Bjorn Hjelm
Events
OpenID Workshop at EIC in Munich, Monday, September 13, 2021
https://www.kuppingercole.com/events/eic2021<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.kuppingercole.com%2Fevents%2Feic2021&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7Ccec1210b94cb4c79088108d952ada85a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637631728094672303%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=hL4%2F0WYcr6tZMprKeFGh6XAOAUUHgR8bSG5i1uLbGww%3D&reserved=0>
W3C Federated Identity Community Group
https://www.w3.org/community/fed-id/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2Fcommunity%2Ffed-id%2F&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7Ccec1210b94cb4c79088108d952ada85a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637631728094672303%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=31eL2n9%2BQV3J%2Fdy6Zr%2BDfrf3sgqsbyU058nop3yciNA%3D&reserved=0>
Tim reported that the first meeting is on August 2nd at Noon Eastern time
We have terminated the series of special Browser Interaction calls, as the discussion has moved to the CG
Related Working Groups
Bjorn reported on MODRNA
They've gone through open issues in the Authentication Profile
They're addressing incoming CIBA Core comments
CIBA Core is in review for Final status
Brazil Open Banking is using FAPI CIBA as part of their deployment
Brian reported on FAPI
The 1.0 profiles are final
There's debate about the scope of the 2.0 work
It might be restricted to being a security profile
Or it could become a larger suite of specifications, including for consent and rich authorization
Intent lodging is part of what's being considered
There's a FAQ on the relationship between FAPI 1.0 and FAPI 2.0
https://openid.net/wg/fapi/faq/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopenid.net%2Fwg%2Ffapi%2Ffaq%2F&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7Ccec1210b94cb4c79088108d952ada85a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637631728094682259%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=UIvfgyrgy57TiC5M%2BxFXWkjCgp4WzEhB3fzrBy%2FDkeA%3D&reserved=0>
Pushed Authorization Requests (PAR) and PKCE are being used by FAPI 2.0
External Organizations
DHS Mobile Driver's License Response
We've sent the OpenID Foundation's response
DIF work on using Presentation Exchange in OpenID Connect for Verifiable Presentations
Pam reported on negotiations for PE subsetting for use by OpenID
DW has been active on GitHub
The editors of both specs plan to report back on August 4th
https://us02web.zoom.us/j/86386603919?pwd=bUdYbGpDb01DR0d0elEwMmticUs2QT09<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fus02web.zoom.us%2Fj%2F86386603919%3Fpwd%3DbUdYbGpDb01DR0d0elEwMmticUs2QT09&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7Ccec1210b94cb4c79088108d952ada85a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637631728094682259%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=dbACVCklt0eHQpPN%2B6rcNJuYy8MxawuQdlJqboBSJFM%3D&reserved=0>
SCIM BoF
There's a SCIM BoF at IETF today at 1:30 Pacific Time
https://datatracker.ietf.org/group/sins/about/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fgroup%2Fsins%2Fabout%2F&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7Ccec1210b94cb4c79088108d952ada85a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637631728094682259%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=oycNwybCALOwxLOdStCTsTsMmVYV4Ji8HyBbc4DE5wM%3D&reserved=0>
The goal is rechartering the SCIM WG to help increase adoption and clean things up
Kantara Privacy and Identity Report for the mobile driver's license was published
https://kantarainitiative.org/download/pimdl-v1-final/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fkantarainitiative.org%2Fdownload%2Fpimdl-v1-final%2F&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7Ccec1210b94cb4c79088108d952ada85a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637631728094692213%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=lDOAPe6bxNtbLcRY2HEBiEw8Zw1Hi0GahXbHtNIj%2Bdg%3D&reserved=0>
Tom reported that states and provinces are using different flows with different properties
For instance, in Colorado, a QR code can be released enabling queries to the Department of Licensing
Revocation of the privilege versus revocation of the certificate are different
Other kinds of digital IDs are also being issues
Fishing licenses, hairdresser licenses, etc.
Open Pull Requests
https://bitbucket.org/openid/connect/pull-requests/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fpull-requests%2F&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7Ccec1210b94cb4c79088108d952ada85a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637631728094692213%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=nsdIVwf8Y0UspNSAlT5CPWSDfuURrNdbuaLvowigcrM%3D&reserved=0>
We didn't get to Pull Requests
Open Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fissues%3Fstatus%3Dnew%26status%3Dopen&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7Ccec1210b94cb4c79088108d952ada85a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637631728094702173%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=bMgcaVCcaRJ5XSzNeoz1FG30up5lPa4kgRO70So4h24%3D&reserved=0>
#1273: Mitigating security risk by using WebAuthn in cross-device SIOP
John spoke to the proposal
The QR code approach is easily phishable
An ephemeral WebAuthn credential could be part of the solution
The FIDO credential could be in the SIOP ID Token JWT to tie the two transactions together
CIBA has similar problems
The OAuth Device Flow doesn't have these problems because the device (your TV, etc.) is trusted
Tim proposed meeting to produce a sequence diagram for this solution
Next Call
Monday, August 2 at 4pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210803/1a49ed2a/attachment.html>
More information about the Openid-specs-ab
mailing list