[Openid-specs-ab] SIOP special topic call agenda (2021-04-27)

David Chadwick d.w.chadwick at verifiablecredentials.info
Thu Jun 10 15:09:16 UTC 2021

An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210610/43538cb9/attachment.html>
-------------- next part --------------
Mins of OIDC SIOP 10 June 21
Present: Kristina Yasuda (Chair)
Mike Jones 
Adam Lemmon
Anthony Nadalin
David Chadwick (mins)
Justin Richer
Oliver Terbu
Tim Cappalli
Torsten Lodderstedt
David Waite
Axel Nennker

The group is asked for feedback from US DHS for OIDC being one of the mDL protocols.

Item. PR#20 to accept Presentation Exchange into OIDC for Verifiable Presentations draft. Torsten introduced this PR.
The strategy is to take the bits of PE as we want and not the bits that we don't want and incorporate these into the OIDC protocol. 
Mike said that we should merge this PR now  and then make refinements such as changing schema to type in the next revision.
Torsten proposes give people a week to review the PR and if no objections then merge it.
David proposed that we should also have the ability to point to an external repository to pick up the policy. This will be an agenda item for next week.

Item. PR#21. Security Considerations.
Currently there is no mechanism to prevent replay attacks. The proposal is to insert the OP ID and nonce in the VP. Existing OIDC response claims (??name them??) were introduced to address this because there was no other way of doing it. VPs already have ability to do it.
Proposal is to give people a week to read this PR and merge if there are no objections.

Item. Stop using SIOP as an umbrella term.
Different people imply different things by the term SIOP. This is because although SIOP is defined in the core spec, there are some aspects that are not explicitly specified and therefore people have assumed different things. (Since VCs/VPs did not exist when SIOP was first defined this is natural.) The proposal is for DW to create a PR to refine the definition of SIOP in the v2 draft in order to both fill in the missing or implied semantics, and indicate in the protocol where SIOPv2 protocol behaviour is now different to the original behaviour. E.g. Maybe we need metadata to tell the RP how the SIOP will behave, for situations were there are different classes of SIOP that support different features. Maybe the v2 trust model will need to be defined as well.

Meeting closed at 16.03

More information about the Openid-specs-ab mailing list