[Openid-specs-ab] Spec Call Notes 29-Jul-21

Mike Jones Michael.Jones at microsoft.com
Thu Jul 29 16:26:30 UTC 2021

Spec Call Notes 29-Jul-21

Mike Jones
John Bradley
Brian Campbell
David Waite (DW)
Tim Cappalli
David Chadwick
Pamela Dingle
Tom Jones
Pamela Dingle
Bjorn Hjelm

              OpenID Workshop at EIC in Munich, Monday, September 13, 2021
              W3C Federated Identity Community Group
                           Tim reported that the first meeting is on August 2nd at Noon Eastern time
                           We have terminated the series of special Browser Interaction calls, as the discussion has moved to the CG

Related Working Groups
              Bjorn reported on MODRNA
                           They've gone through open issues in the Authentication Profile
                           They're addressing incoming CIBA Core comments
                           CIBA Core is in review for Final status
                           Brazil Open Banking is using FAPI CIBA as part of their deployment
              Brian reported on FAPI
                           The 1.0 profiles are final
                           There's debate about the scope of the 2.0 work
                           It might be restricted to being a security profile
                           Or it could become a larger suite of specifications, including for consent and rich authorization
                           Intent lodging is part of what's being considered
                           There's a FAQ on the relationship between FAPI 1.0 and FAPI 2.0
                           Pushed Authorization Requests (PAR) and PKCE are being used by FAPI 2.0

External Organizations
              DHS Mobile Driver's License Response
                           We've sent the OpenID Foundation's response
              DIF work on using Presentation Exchange in OpenID Connect for Verifiable Presentations
                           Pam reported on negotiations for PE subsetting for use by OpenID
                           DW has been active on GitHub
                           The editors of both specs plan to report back on August 4th
              SCIM BoF
                           There's a SCIM BoF at IETF today at 1:30 Pacific Time
                           The goal is rechartering the SCIM WG to help increase adoption and clean things up
              Kantara Privacy and Identity Report for the mobile driver's license was published
                           Tom reported that states and provinces are using different flows with different properties
                                         For instance, in Colorado, a QR code can be released enabling queries to the Department of Licensing
                                         Revocation of the privilege versus revocation of the certificate are different
                           Other kinds of digital IDs are also being issues
                                         Fishing licenses, hairdresser licenses, etc.

Open Pull Requests
              We didn't get to Pull Requests

Open Issues
              #1273: Mitigating security risk by using WebAuthn in cross-device SIOP
                           John spoke to the proposal
                           The QR code approach is easily phishable
                           An ephemeral WebAuthn credential could be part of the solution
                           The FIDO credential could be in the SIOP ID Token JWT to tie the two transactions together
                           CIBA has similar problems
                           The OAuth Device Flow doesn't have these problems because the device (your TV, etc.) is trusted
                           Tim proposed meeting to produce a sequence diagram for this solution

Next Call
              Monday, August 2 at 4pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210729/9647d903/attachment.html>

More information about the Openid-specs-ab mailing list