[Openid-specs-ab] SIOP Special Call Notes 22-Jul-21

Mike Jones Michael.Jones at microsoft.com
Thu Jul 22 15:11:23 UTC 2021

SIOP Special Call Notes 22-Jul-21

Kristina Yasuda
Mike Jones
Brian Clinkenbeard
Stephane Durand
Jo Vercammen
Tony Nadalin
Justin Richer
Adam Lemmon
Adrian Gropper
Jo Vercammen
Bjorn Hjelm
David Chadwick
Andre Barnard
Pamela Dingle

              OpenID Workshop at EIC in Munich, Monday, September 13, 2021

Open SIOP Issues
              #1264: Include input_descriptor `id` in OIDC4VP response and request
                           David Chadwick spoke to the efficiencies gained by having the "id"
                           He thinks it should be optional
                           But several implementations don't use it
                           Mike said that searching small data structures is not a big deal
                           This is related to https://github.com/decentralized-identity/presentation-exchange/issues/231
                           David talked about schemas and types for VPs
                           Brian said that processors can add identifiers to sections when processing
                                         There could be identifiers for users involved
              #1256: Reconcile the mapping/processing between input descriptors and submitted inputs
                           We discussed the liaison relationship between the OIDF and DIF
                           Kristina described how PE is being profiled to work well with Connect
              #1267: successful client registration response
                           Mike didn't remember the purpose for this text
                           We will discuss it on a regular Connect call
              #1207: Custom URL scheme clarification needed
                           We will close this after confirming with Oliver
              #1210: SIOP V2: openid:// should not be required but an optional URI scheme
                           We will close this

              #35: Issue 1262 did-based sub and sub_jwk
                           We agreed to merge this PR
              #36: Issue #1265, nonce mandatory
                           This is ready to merge
              #37: Cross Device SIOP
                           Kristina asked if people had ideas to make a cross-device flow more secure
                           Mike asked whether this should be in a different spec, given its phishable nature
                           Bjorn said that MODRNA has multi-device flows using CIBA
                                         The question is how to bind the consumer device and the authenticator device
                                         In the MODRNA case, the mobile phone will be the authenticator device
                                         Bjorn said that nothing has been put into the spec to achieve the binding
                           Mike said that CIBA is OK for payment because the payment terminal is inside the security boundary
                                         The same does not apply to random QR codes
                                         Stephanie and Brian said that payment terminals are not always secured
                                         Brian talked about how one shouldn't use phones in proximity to gas pumps
                                         There are also problems where phones are prohibited and/or when there is no service
                                         Brian said that fallbacks need to be in place when the phone can't be used
                                         Brian said that security depends upon participants vetting your identity
                                         The end terminal can't necessarily be trusted
                           Kristina will open an issue about security considerations for cross-device flows
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210722/996c7eec/attachment.html>

More information about the Openid-specs-ab mailing list