[Openid-specs-ab] Spec Call Notes 14-Jun-21

David Waite david at alkaline-solutions.com
Tue Jun 15 11:08:03 UTC 2021

OpenID AB/Connect WG Meeting Notes (2021-06-07)
Date & Time: 2021-06-14 23:06 UTC
Location: https://global.gotomeeting.com/join/181372694 <https://global.gotomeeting.com/join/181372694>
1. oll Call
2. Adoption of Agenda (Nat)
3. External Orgs and Events
3.1.   TSA Drivers Licence
4. Drafts
4.1.   Review federation spec
4.2.   Final Public Review of CIBA Core
5. OpenID Foundation Board Change
6. PRs (Nat)
7. Issues (Nat)
8. AOB
The meeting was called to order at 15:06 UTC. 
Roll Call 
* Attending: 
#. Anthony Nadalin (It)
#. Nat Sakimura
#. John Bradley
#. Mike Jones
#. David Waite (Ping Identity)
#. Edmund James
#. Jeremie Miller, 
#. Kristina Yasuda
#. Tom Jones,
#. Vittorio Bertocci, 
#. David Waite (Ping Identity),
* Regrets: Tobias
* Guest: 
Adoption of Agenda (Nat)
Created the agenda on the fly. 
External Orgs and Events

TSA Drivers Licence 
Anthony: Comments from various parties to the RFI from TSA on Mobile Drivers Licenses (mDL). Response by the 18th.
Identiverse is next week, some discussion of mixed in-person attendance due to travel restrictions
OpenID Federation

Mike: One review from Torsten, only one received so far. Would like 2-3 more.
Final Public Review of CIBA Core
Strongly encouraging people to review this external document
FAPI 2.0 public review period
Mike: FAPI 2.0 has a call for review in a blog post. 
https://openid.net/2021/05/25/public-review-period-for-two-proposed-fapi-2-0-implementers-drafts/ <https://openid.net/2021/05/25/public-review-period-for-two-proposed-fapi-2-0-implementers-drafts/>
OpenID Foundation Board Change
Ashish Jain was elected to the OpenID Foundation Board
PRs (Nat)

PR 17: openid-connect-claims-aggregation-1_0.md -- Added Introduction text

Discussion of appropriate terms - holder has some other meaning and has perhaps extra meaning that comes the verifiable credentials spec that we may not want to inherit.
Wallet has some additional meaning such as payment meanings.
PR 20: Design for adopting DIF PE  to OIDC4VP
PR 21: added security considerations for binding verifiable presentations to transaction and audience
Issues (Nat)
We went through the following old unopened issues. 
1086: Core 5.6.2 - chaining Distributed Claims
https://bitbucket.org/openid/connect/issues/1086/core-562-chaining-distributed-claims <https://bitbucket.org/openid/connect/issues/1086/core-562-chaining-distributed-claims>
Discussion on to whether to park in claims aggregation draft, or if distributed claims are out of scope of that work. Decision was made to assign to CA.
1070: scope approval by 2nd app in mobile SSO
To be discussed on Atlantic call
1120: Missing claims due to backend error
Marked resolved based on previous comments
1108: Purpose field for claims requests and revving of policy_url
Generally considered to be a good idea, although there is some push back on having the purpose string be dynamic to the OP consent screen as it would might have reduced usability due to being mixed/unreviewed content, non-localized.
Comment was made that this could be made during dynamic client registration, or set by a trust framework. We should probably apply the same localization options we have for purpose as for claims values.
Mike questions whether the value is meant to be machine readable or user displayed, clarification that it is meant for human display.
989: Core - Should Userinfo include the issuer?
Nat: requiring the issuer may not be worth a normative change
Discussion of whether this has an impact of via token substitution attacks, and that the subject and issuer must match expected values
Would need clarification that it is not an id_token, should not be used for user authentication. Future consideration of adding clarification that UserInfo should not be used for authentication to the security considerations as an errata
1054: Do a survey on the revision of OpenID Core
Nat: question on whether it is time to a survey on revising OIDC
Mike: time is when we know what WebID becomes, when OAuth 2.1 is done, Security BCP is done
Vittorio: push-back on considering OAuth 2.1 to be in the same category as WebID. OAuth 2.1 is mostly administrative whereas WebID could be disruptive
David: There are a lot of things which have happened in the OAuth WG (metadata, client registration, pkce) which we have not provided advice for
Mike: We could consider doing an implementer’s note rather than a spec revision
Mike: prefer to see instability before survey
Vittorio: Bounce tracking prevention might trigger necessary changes to OpenID Core.
The meeting was adjourned at 00:02 UTC

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210615/84f792f1/attachment-0001.html>

More information about the Openid-specs-ab mailing list