[Openid-specs-ab] Spec Call Notes 14-Jun-21

David Waite david at alkaline-solutions.com
Tue Jun 15 11:08:03 UTC 2021


OpenID AB/Connect WG Meeting Notes (2021-06-07)
===========
Date & Time: 2021-06-14 23:06 UTC
Location: https://global.gotomeeting.com/join/181372694 <https://global.gotomeeting.com/join/181372694>
 
Agenda
===========
1. oll Call
2. Adoption of Agenda (Nat)
3. External Orgs and Events
3.1.   TSA Drivers Licence
4. Drafts
4.1.   Review federation spec
4.2.   Final Public Review of CIBA Core
5. OpenID Foundation Board Change
6. PRs (Nat)
7. Issues (Nat)
8. AOB
 
The meeting was called to order at 15:06 UTC. 
 
Roll Call 
===========
* Attending: 
#. Anthony Nadalin (It)
#. Nat Sakimura
#. John Bradley
#. Mike Jones
#. David Waite (Ping Identity)
#. Edmund James
#. Jeremie Miller, 
#. Kristina Yasuda
#. Tom Jones,
#. Vittorio Bertocci, 
#. David Waite (Ping Identity),
 
* Regrets: Tobias
* Guest: 
 
Adoption of Agenda (Nat)
===========================
Created the agenda on the fly. 
 
External Orgs and Events
===========================

TSA Drivers Licence 
--------------------
Anthony: Comments from various parties to the RFI from TSA on Mobile Drivers Licenses (mDL). Response by the 18th.
 
Identiverse
-------------------- 
Identiverse is next week, some discussion of mixed in-person attendance due to travel restrictions
 
Drafts
=================
 
OpenID Federation
https://openid.net/specs/openid-connect-federation-1_0.html
----------------------

Mike: One review from Torsten, only one received so far. Would like 2-3 more.
 
Final Public Review of CIBA Core
https://openid.net/2021/06/07/public-review-period-for-proposed-final-openid-connect-client-initiated-backchannel-authentication-ciba-core-specification/
--------------------
Strongly encouraging people to review this external document
 
FAPI 2.0 public review period
https://openid.net/2021/05/25/public-review-period-for-two-proposed-fapi-2-0-implementers-drafts/
--------------------
Mike: FAPI 2.0 has a call for review in a blog post. 
https://openid.net/2021/05/25/public-review-period-for-two-proposed-fapi-2-0-implementers-drafts/ <https://openid.net/2021/05/25/public-review-period-for-two-proposed-fapi-2-0-implementers-drafts/>
 
OpenID Foundation Board Change
https://openid.net/2021/06/08/2021-openid-foundation-new-corporate-member-representative-election-results/
--------------------
Ashish Jain was elected to the OpenID Foundation Board
 
PRs (Nat)
=================

PR 17: openid-connect-claims-aggregation-1_0.md -- Added Introduction text
https://bitbucket.org/openid/connect/pull-requests/17
--------------------

Discussion of appropriate terms - holder has some other meaning and has perhaps extra meaning that comes the verifiable credentials spec that we may not want to inherit.
Wallet has some additional meaning such as payment meanings.
 
PR 20: Design for adopting DIF PE  to OIDC4VP
https://bitbucket.org/openid/connect/pull-requests/20
--------------------
merged
 
PR 21: added security considerations for binding verifiable presentations to transaction and audience
https://bitbucket.org/openid/connect/pull-requests/21
--------------------
merged
 
Issues (Nat)
=================
We went through the following old unopened issues. 
 
1086: Core 5.6.2 - chaining Distributed Claims
https://bitbucket.org/openid/connect/issues/1086/core-562-chaining-distributed-claims <https://bitbucket.org/openid/connect/issues/1086/core-562-chaining-distributed-claims>
--------------------
Discussion on to whether to park in claims aggregation draft, or if distributed claims are out of scope of that work. Decision was made to assign to CA.
 
1070: scope approval by 2nd app in mobile SSO
https://bitbucket.org/openid/connect/issues/1070
--------------------
To be discussed on Atlantic call
 
1120: Missing claims due to backend error
https://bitbucket.org/openid/connect/issues/1120
--------------------
Marked resolved based on previous comments
 
1108: Purpose field for claims requests and revving of policy_url
https://bitbucket.org/openid/connect/issues/1108
--------------------
Generally considered to be a good idea, although there is some push back on having the purpose string be dynamic to the OP consent screen as it would might have reduced usability due to being mixed/unreviewed content, non-localized.
 
Comment was made that this could be made during dynamic client registration, or set by a trust framework. We should probably apply the same localization options we have for purpose as for claims values.
 
Mike questions whether the value is meant to be machine readable or user displayed, clarification that it is meant for human display.
 
989: Core - Should Userinfo include the issuer?
https://bitbucket.org/openid/connect/issues/989
--------------------
Nat: requiring the issuer may not be worth a normative change
 
Discussion of whether this has an impact of via token substitution attacks, and that the subject and issuer must match expected values
 
Would need clarification that it is not an id_token, should not be used for user authentication. Future consideration of adding clarification that UserInfo should not be used for authentication to the security considerations as an errata
 
1054: Do a survey on the revision of OpenID Core
https://bitbucket.org/openid/connect/issues/1054
--------------------
Nat: question on whether it is time to a survey on revising OIDC
Mike: time is when we know what WebID becomes, when OAuth 2.1 is done, Security BCP is done
Vittorio: push-back on considering OAuth 2.1 to be in the same category as WebID. OAuth 2.1 is mostly administrative whereas WebID could be disruptive
David: There are a lot of things which have happened in the OAuth WG (metadata, client registration, pkce) which we have not provided advice for
Mike: We could consider doing an implementer’s note rather than a spec revision
Mike: prefer to see instability before survey
Vittorio: Bounce tracking prevention might trigger necessary changes to OpenID Core.
 
AOB
==========
none. 
 
The meeting was adjourned at 00:02 UTC

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210615/84f792f1/attachment-0001.html>


More information about the Openid-specs-ab mailing list