[Openid-specs-ab] Spec Call Notes 14-Jan-21

Mike Jones Michael.Jones at microsoft.com
Thu Jan 14 16:41:03 UTC 2021 

Spec Call Notes 14-Jan-21

Mike Jones
Nat Sakimura
George Fletcher
Filip Skokan
Oliver Terbu
Kristina Yasuda
Bjorn Hjelm
Tim Cappalli
John Bradley
Tom Jones

DIF Liaison Call
              Mostly operational discussions
              Discussed how to promote relationship and encourage participation
              Website updates are planned

Browser Interactions Special Topic Call
              Tim reported that the special call was well attended, including some people that aren't normally on Connect calls
              They agreed on a structure for future calls
                           Includes both discussion time and presentations on related work
              George and Vittorio are working on a framework for describing use cases
              George reported that the academic community has significant concerns
                           Internet2 and CANARIE were both on the call
              Tim thinks that they should meet weekly
              Tim created a Wiki page for the call
              https://bitbucket.org/openid/connect/wiki/Browser%20Interactions%20Special%20Topics%20Call
              George left some more comments on the IsLoggedIn issues

SIOP Special Topic Call
              Next Tuesday, January 19 10pm UTC
              On the first call, we'll discuss goals and purposes for the call and the work
              We'll discuss scope of what we want to achieve
              We'll inventory related specifications and documents

Logout Specs
              Discussing parameters for RP-initiated logout
                           https://openid.net/specs/openid-connect-rpinitiated-1_0.html
                    https://bitbucket.org/openid/connect/issues/1182
              Filip suggested text for client_id and logout_hint
              https://bitbucket.org/openid/connect/commits/730244980de1d31328c50d48c32288be872d1aea
              George is OK with logout_hint, provided that its value can be the session ID
              Vittorio suggested in a comment using existing parameters
              Mike agreed to publish a new draft incorporating Filip's suggestion
                           Both of them are optional parameters

Open Issues
              https://bitbucket.org/openid/connect/issues
              #1198 How does RP initiate SIOP request?
                           Kristina said that there are ongoing discussions on this, including discovery and registration
                           Mike said that discovery and registration are essential for interoperability
                           George suggested using .well-known/openid-configuration
                           The just-adopted SIOP V2 spec has a way of doing this
                           George said that for FIDO, they do JavaScript to determine whether FIDO is even feasible
                                         We want similar functionality for Self-Issued OpenID Providers
                                         George will add a comment to this effect
              #1201 Agree on the Self-issued OpenID Connect Provider Requirements Document
                           We achieved this - Kristina will close
              #1197 Formulate response to WebID / IsLoggedIn proposals
                           Assigned to Tim
              #1202 Suggested OP iframe javascript suggests a wrong split
                           Mike will address
              #1200 Impact of Implicit Grant Removal in OAuth 2.1
                           OpenID Connect uses OAuth 2.0 - not 2.1
                           OAuth 2.1 is also supposed to not introduce any breaking changes to OAuth 2.0
                           Filip points out that OpenID Connect doesn't use sender-constrained tokens, per the Security BCP
                                         Nat said that FAPI does define sender-constrained tokens
              #1199 Which wallet gets invoked in SIOP
                           Mike: When we last discussed this, we decided that the RP would use the URL to determine what to invoke
                           Mike: I expect that most users will have zero or one wallet
                                         Otherwise there's significant complexity
                           Tim: Unfortunately, I think that some use cases will require use of specific wallets
                           George: If the user can communicate their DID to the RP, then there could be a wallet per DID
                           Tom: The platform should decide to avoid privacy violations
                           Tim: Does the wallet have to have a pre-existing relationship with the platform prior to being invoked
                           Mike: To the extent that wallets have different capabilities, the RP may need to know how to select one with those capabilities
                           Tim: There may be the ability to use something like Presentation Exchange for wallets
                           Tom: There will be wallets that don't use DIDs - for instance for Driver's Licenses
                           Assigned to Kristina

Final FAPI 1.0 Specification
              Edmund is working on creating the final FAPI 1.0 specification drafts
              The Implementer's draft votes for MODRNA and FastFed also passed

Next Call
              The next call is on Monday, January 18th, 2021 at 3pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210114/fc58b683/attachment.html>

More information about the Openid-specs-ab mailing list