[Openid-specs-ab] SIOP special topic call notes (2021-06-29)

Kristina Yasuda Kristina.Yasuda at microsoft.com
Thu Jul 1 03:46:52 UTC 2021

Mike Jones
Kristina Yasuda
Edmund Jay
Jeremie Miller
Anthony Nadalin
Nikos Foticou
David Waite
Pamela Dingle
Nader Helmy (Mattr)
Ran Xing

- IPR reminder & introductions/re-introductions

- Agenda adopted

- DIF Presentation Exchange/OIDF WG update

  *   A call on Wed 1PM PT, 10PM Berlin, Thus 8AM NZ
  *   please see the IPR related thread
  *   Showing that not-modifying PE will be a breaking change for OIDC (OIDC4VP) is key
  *   if you file PE-related issues in Bitbucket, ideally please also file them in DIF PE GitHub
  *   There is a proposal to have the ability to use PE v1 as-is and use a version adapted to OIDC4VP needs

- PRs

  *   https://bitbucket.org/openid/connect/pull-requests/23 - please review

- Discussion

     *   Multiple wallet selection - SIOP invocation

        *   Tony introduced the topic that from conversations in ISO mDL WG, it is becoming clear that Google/Apple see the wallet choosing option as an OS feature and there is a fear users will not have a free choice of wallet.

        *   Jeremie commented that SIOP chooser work becomes relevant, but it relies on the trust framework

        *   We discussed that if SIOP belongs to a trust framework, it should rely on the trust framework to host a common or shared website with universal links to the SIOPs that can satisfy RP request

        *   Kristina suggested that having only one option of custom schema is not feasible because of unpredictable mobile OS behavior and suggested to remove a requirement to use openid:// - no one opposed

        *   The question was asked if each wallet having a separate custom schema is an option for SIOPs that do not belong to any trust framework.

        *   DW said that it not secure anymore - a lot of possibility of being phished since any malicious app can use your custom schema, imitate your UI and trick the user

        *   Torsten has mentioned in mDL RFI response thread the possibility of using CIBA-like flow. Tony said he will talk to Torsten about CIBA proposal

        *   Kristina did a PR to document this discussion: https://bitbucket.org/openid/connect/pull-requests/25


     *   JSON Web Proofs

        *   Jeremie introduced the work on selective disclosure and unlinkable presentations that he and DW has been working on: https://hackmd.io/@quartzjer/JSON_Web_Proof

A container format (not a protocol) that is familiar and comfortable with all of current stacks with JOSE based tokens
An extension of JWS format to support algs that can do selective disclosure and unlinkable presentations
The plan is to incubation this work in DIF Crypto WG and when ready take to IETF to standardize there
        *   Kristina said this work is very important to allow selective disclosure not only with LD-proofs, but also with JWS

        *   Tony asked if this would work for COSE formats, which would be beneficial for selective disclosure in mDL

           *   DW said that COSE already has an concept of arrays which relates to JWP's idea of a sequence that is representing a new concept of an array of payloads.

        *   Tony said we would want to support specific algorithms like IDEMIX and U-Proof

           *   Jeremie and Mike agreed

           *   DW used the analogy of an hourglass: container that describes common formats, commonality across algorithms, and commonality based on the data being transferred for common processing on top of each other.

           *   Ideally would like to extend beyond a crypto container format to provide application level processing rules, to take advantage of JWT's property of isolating cryptosystem to the point where you take responsibility for limited set of things when integrating security in application layer.

        *   Mike asked what would have to be layered on top of this to have the equivalent of JWTs that allows for selective disclosure of claims

           *   Jeremie explained that depends on how do we want to define what the application logic is going to process and what are its processing rules around that, where the result is not one JSON object.

           *   A simple way to think about it is, instead of a JWT being one JWS, a JWT would be multiple JWSs with claims distributed among them

           *   Mike said that for usability and adoption, preserving claims model rather than handing back an array is preferred

        *   Tony asked if JWP will cover both online and offline use-cases

           *   Jeremie said it is intended to, for example through derivation, where users can have one credential, and do multiple derivations, and Verifiers would not be able to tell if what they have handled multiple times is actually based on the same credential.

        *   Jeremie introduced the terms they are starting to use in related conversations: single use credential and multi-use credential

           *   need to go back to the issuer to get a new credential, vs being able to keep presenting the same credential once issued once.

           *   DW commented how in single use relationship with the issuer is maintained, and multi-use credential is closer to an mDL model.

           *   We discussed the need for UI where the user is warned, "if you disclose this information, you are correlatable with other recent usage".

- Issues

  *   Kristina encouraged to review the following SIOP V2 related issues

     *   An issue back from 2018: https://bitbucket.org/openid/connect/issues/1027/write-a-self-issued-idp-si-idp-best
     *   Progress on SIOP properties: https://bitbucket.org/openid/connect/issues/1239/we-should-stop-using-siop-as-an-umbrella
     *   Other open issues: https://bitbucket.org/openid/connect/issues?status=new&status=open&component=SIOP<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fissues%3Fstatus%3Dnew%26status%3Dopen%26component%3DSIOP&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7Cc9daa6ca3af6414eb84608d930374cef%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637593838644026529%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=7qefbzQ7u7ty7qnIv%2BFDlsN7d6PtySvyllmqnskOWgc%3D&reserved=0>

- Ajorned at 15:57

I tried to capture good discussion we had around JWP in the notes, and we will make sure we have updates in this special call, but if you are interested in participating in this work, please follow DIF Crypto WG.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210701/0a810b63/attachment-0001.html>

More information about the Openid-specs-ab mailing list