[Openid-specs-ab] SIOP special topic call notes (2021-07-13)

Kristina Yasuda Kristina.Yasuda at microsoft.com
Wed Jul 14 19:56:01 UTC 2021

Michael Barrett
Mike Jones
Tim Cappalli
David Waite
John Bradley
Edmund Jay
Kristina Yasuda

- IPR reminder & introductions/re-introductions

- Agenda bashing/adoption

- DIF Presentation Exchange/OIDF WG update

- Next call is Aug 4th. Editors of both drafts working on it. Please file/comment on related issues.

- RSA conference proposal

- no concrete ideas

- PRs

  *   reference to OIDC4VP in SIOPV2: https://bitbucket.org/openid/connect/pull-requests/27
     *   Agreed to merge<https://bitbucket.org/openid/connect/pull-requests/27>
     *   Resolved https://bitbucket.org/openid/connect/issues/1258/siop-replace-vp-claim-with-reference-t<https://bitbucket.org/openid/connect/issues/1258/siop-replace-vp-claim-with-reference-to>
  *   SIOP Invocation text: https://bitbucket.org/openid/connect/pull-requests/25
     *   Agreed to merge
     *   Resolved https://bitbucket.org/openid/connect/issues/1199/which-self-issued-op-gets-invoked
     *   Resolves https://bitbucket.org/openid/connect/issues/1207/custom-url-scheme-clarification-needed <https://bitbucket.org/openid/connect/issues/1207/custom-url-scheme-clarification-needed>  and https://bitbucket.org/openid/connect/issues/1210/siop-v2-openid-should-not-be-required-but (Kristina to confirm with the reporters of these issues)
  *   nonce mandatory in SIOP V2: https://bitbucket.org/openid/connect/pull-requests/36
     *   in OpenID.Core, nonce already mandatory for implicit flow but not for SIOP V1 in ch.7
     *   Mike proposed to make changes in OpenID.Core to clarify that nonce is mandatory in SIOP
     *   https://bitbucket.org/openid/connect/issues/1266/remove-misleading-self-issued-language
     *   Opened issue https://bitbucket.org/openid/connect/issues/1265/nonce-mandatory-for-siop
  *   "Cross-device" SIOP flow: https://bitbucket.org/openid/connect/pull-requests/33
     *   Clarified what is meant by "cross-device" SIOP flow. One use-case is with NHS, where kiosks are used to sign up doctors for shifts. The doctors scan QR codes on the kiosk screen (RP), present their doctor license to practice (SIOP), and once signed into the system on the kiosk, they sign up for shifts.
     *   Jeremie pointed out that cross-device SIOP cannot be used to authenticate an agent on another device to create an agent session, since it is very vulnerable to a phishing attack
     *   John said that cross-device SIOP flow can be used for attribute-presentation, but not for the authentication. Same-device SIOP is essentially a federation, and has same risks, while cross-device SIOP introduces new higher risks, because two devices are uncoupled and you cannot verify the access channel.
     *   The above terminal use-case might work with cross-device SIOP flow if it is a secure terminal, but not if RP is going to be on an "arbitrary place" on the internet
     *   Using QR codes to attach mobile device to another device (terminal, PC) and establish a secure connection is different from using QR code to initiate a session that is completely in the backchannel - no idea whether QR code is being presented directly or through a reverse proxy.
     *   Mike said that if security considerations are that different between same-device and cross-device SIOP flows, cross-device flow should be a separate document. We agreed to discuss this in Connect WG call.
     *   Comments documented in https://bitbucket.org/openid/connect/issues/1257/cross-device-flow-in-siop
  *   sub_jwk mandatory when sub type is DID: https://bitbucket.org/openid/connect/pull-requests/35
     *   Need few more approvals before merging
  *   signature details for CAdES, JAdES and JWS: https://bitbucket.org/openid/connect/pull-requests/28
     *   need more reviews
  *   Initial merging of claims aggregation and OpenID Credential Provider specs: https://bitbucket.org/openid/connect/pull-requests/34
     *   Call participants encouraged to take a look as a specification to be used for VC issuance using OIDC
     *   Edmund said he will discuss with Nat how we can enable using Claims Aggregation for VC issuance (IW-IA) and OIDC4VP for VP presentation (CC-IW)

- Issues

  *   SIOP V2
     *   Issues have been addressed in the above PR discussion. Other new issues to be opened at the Atlantic call with the reporters are present.
  *   OIDC4VP
     *   Opened https://bitbucket.org/openid/connect/issues/1253/threat-analysis-for-binding-between-vc-and
        *   Agreed that SIOP V2 draft should have a general text that requires binding, but leave specificities to the used credential type.
     *   Opened https://bitbucket.org/openid/connect/issues/1256/reconcile-the-mapping-processing-between
        *   Kristina posted an DIF-OIDF MOU document, Mike confirmed MOU document can be shared since OIDF documents are public and are not under NDAs.
        *   it was discussed that returned result being returned as an array is sufficient and having an object being returned would make loop up unnecessarily difficult.
     *   Opened https://bitbucket.org/openid/connect/issues/1264/include-input_descriptor-id-in-oidc4vp
        *   Sister-issue filed at https://github.com/decentralized-identity/presentation-exchange/issues/231

Thank you!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210714/03b448ad/attachment-0001.html>

More information about the Openid-specs-ab mailing list