[Openid-specs-ab] Spec Call Notes 17-Jun-21

Mike Jones Michael.Jones at microsoft.com
Fri Jun 18 22:41:01 UTC 2021

Spec Call Notes 17-Jun-21

Mike Jones
Tom Jones
Nat Sakimura
Tim Cappalli
Kristina Yasuda
Anthony Nadalin
Joseph Heenan
Tom Jones
Mark Haine
Adam Lemmon
John Bradley

                             Joseph is doing a talk on best practices for OAuth 2.0 and OpenID Connect mobile applications
                             Kristina is doing a SIOP panel with Nat and Kim and Tobias
                             Vittorio is doing a presentation on Browser Interactions
                                           https://identiverse.com/idv2021/session/SES17LPY80SAWHL8K/ - "Identity and Web Browsers: Next-Generation API"
                             George is doing a presentation on Dynamic Client Registration at scale
                             Nat is doing the presentation Seven Principles of Digital Being
              Applied Cryptography and Network Security Conference
                             Nat will be doing a talk on cryptographic security

DHS Response
              The response deadline was extended into July
              We will set a deadline for comments by the end of June
              We are answering only the questions in the RFI that are pertinent to OpenID
                             Kristina will make sure that the question being answered is clearly identified

                             The Wallet Security WG charter has been approved
                             Use of SIOP is in scope
                             Apparently the German government is interested in secure wallet specifications
                             Nat said that if key management or bearer tokens are involved, the wallet needs to be secure
                             Tom said that Kantara is also doing work on secure wallets
                             Tom said that wallets may sign proof of proof of presence of human beings
                             John said that wallets singing things for themselves is essentially meaningless
                                           You need a higher-level statement of trust from the operating system, etc.
                             Kristina said that key management and signing by the wallet is in scope
                                           Backup and recovery is in scope
                             Nat said that remote attestation can be used to identify a true wallet
                                           John said that there can be attestations that you're talking to the right wallet binary
                                           John said that there might also be attestations for particular keys
                                                          For instance, Android attestations, SafetyNet, iOS is App Attest, etc.

                             There's a proposal for new EIDAS specifications
                             Mark Haine said that EIDAS services have been successful but EIDs were a failure
                             There's a proposal to make EID certification based - like EIDAS services were
                             Stephane Mouy gave a presentation on the new EIDAS proposals

Federation Specification
              The current draft is https://openid.net/specs/openid-connect-federation-1_0-16.html
              Torsten submitted a review
              We're hoping for a few more internal reviews before starting the Implementer's Draft review

Certification Update
              Joseph said there isn't much to report on the Connect side
                             The extra tests for additional assertion audiences aren't in place yet
              Brazil has provided directed funding to develop tests for the Brazil FAPI 1.0 profile
                             There are also FAPI-CIBA tests for Brazil
                             The FAPI-CIBA RP tests are entirely new work
                             We're expecting ~40 certifications next month
                             They're going into production with the 40 banks next month

Open Pull Requests
              PR #22 on Verifiable Presentations
                             To be discussed on the next SIOP special call

Open Issues
              #1227: Core 5.5 - Claims parameter requirements
                             Mark and Tony talked about this
                             Mark said that it's unclear whether implementations can support "id_token" but not "userinfo" or vice versa
                             Mike agreed to review the existing text from that perspective
                             This isn't being tested in the Certification tests
                             Mark said that this came up in a UK Open Banking context
                                           They're using the ID Token as a detached signature mechanism
                                           They don't want to put PII in the ID Token
                                           They want the use of the UserInfo Endpoint rather than the ID Token in this case
                             Mike said that RPs always have to be prepared for requested claims not to be provided and for unanticipated claims to be included
                                           Which claims are returned and where they are returned is already at the discretion of the OP
                             Mark said that there's the possibility of adding additional discovery elements specifying additional behaviors
              #968: inconsistent treatment of id_token_hint
                             Mike will investigate whether the existing errata edits have already addressed this issue
              #976: Unregistered openid2_realm and openid2_id
                             Mike will send a note to IANA
              #978: URL for errata
                             Mike will add a comment to the issue about how we're already addressing this

Next Call
              The next regular Connect call will be on Monday, June 21, 2021 at 4pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210618/53613ab7/attachment-0001.html>

More information about the Openid-specs-ab mailing list