[Openid-specs-ab] OpenID AB/Connect WG Meeting Notes (2021-06-22)

Tue Jun 22 00:36:10 UTC 2021

=================================================
OpenID AB/Connect WG Meeting Notes (2021-06-22)
=================================================
* Date & Time: 2021-06-22 23:00 UTC
* Location: https://global.gotomeeting.com/join/181372694
* Self:
https://bitbucket.org/openid/connect/wiki/Connect_Meeting_Notes_2021-06-22_Pacific

AGENDA

1.   Roll Call
2.   Adoption of Agenda (Nat)
3.   External Orgs and Events
3.1.   Identiverse
4.   Drafts
4.1.   Federation Spec (Mike)
4.2.   Final Public Review of CIBA Core
4.3.   FAPI 2.0 Implementer's Draft
4.4.   SSE Drafts
5.   PRs (Nat)
5.1.   PR 22: Issue #1244 Correct the schema property's value within the PE
Definition
6.   Issues (Nat)
6.1.   #1027: Write a Self-issued IdP (SI-IdP) Best Practice document (Nat)
6.2.   #1010: Create a Threat Document about the Misuse of OAuth
6.3.   #1248: Should _claim_sources member format (currently only JWT) be
expanded?
6.4.   #1249: Find less confusing names for actors in Aggregated Claims
model
6.5.   #1246: Binding of claims and presentation and OP
7.   AOB

The meeting was called to order at 15:05 UTC.

Roll Call
===========
* Attending: Nat, David, Tom, Edmund, Kristina, Jeremie Miller, Tobias, Tony
* Regrets:
* Guest:

Adoption of Agenda (Nat)
===========================
* Adopted as is.

External Orgs and Events
===========================
Identiverse
--------------
SIOP Panel happening at:

Wednesday, June 23
7:30am – 8:20am MDT (1:30pm – 2:20pm UTC)

Panellists:
* Kim Cameron, The author of Laws of Identity, Identity Blog
* Kristina Yasuda, Identity Standards Architect, Microsoft Corp.
* Tobias Looker, Technical Standards Architect, Mattr

Moderator:
* Nat Sakimura, OIDF

Drafts
=================
Federation Spec (Mike)
-----------------------
* David hopes to finish reviewing tomorrow.

Final Public Review of CIBA Core
---------------------------------------
* Please review.

FAPI 2.0 Implementer's Draft
--------------------------------
* Please review.

SSE Drafts
-------------------------
* OpenID Shared Signals and Events Framework Specification
* OpenID Continuous Access Evaluation Profile
* See:
https://openid.net/2021/06/07/public-review-period-for-two-proposed-sse-implementers-drafts/

PRs (Nat)
===============
PR 22: Issue #1244 Correct the schema property's value within the PE
Definition
--------------------------------------------------------------------------------
Four people approved it but Jeremy is still reviewing it.
To be discussed in the next SIOP call.

Issues (Nat)
=================
#1027: Write a Self-issued IdP (SI-IdP) Best Practice document (Nat)
---------------------------------------------------------------------------------
* DID WG was talking about it this morning.
* Apple and Google is adding software backup using keychain. It could
change the security posture that is to be evaluated yet.
* Second key is bound to the context:

#1010: Create a Threat Document about the Misuse of OAuth
----------------------------------------------------------------------
Tom provided an example of a code of conduct that uses self-attested
statements in US Healthcare. It is planned to push forward with a required
audit in the near future. This solution applies only to federations. The
Open Web is another issue altogether.
https://www.carinalliance.com/our-work/trust-framework-and-code-of-conduct/

#1248: Should _claim_sources member format (currently only JWT) be expanded?
----------------------------------------------------------------------------------
The sentiment of the Call on 2021-06-22 is that:

* the formats should be expanded to include things like X.509, CWT, etc.
* the formats must be integrity protected.

Microsoft has a wrapping format for JWT for ZKP for uProve and Idemix etc.,
so Mike may be able to provide reference to it.

#1249: Find less confusing names for actors in Aggregated Claims model
----------------------------------------------------------------------------------
Provisionally agreed to Authoritative Claims Provider (ACP) and
Intermediary Provider (IP) was suggested.
The draft is to be amended accordingly.

#1246: Binding of claims and presentation and OP
----------------------------------------------------------------------------------
Callers agreed that it does not have to be direct binding, but there needs
to be a requirement that there MUST be binding whether direct or indirect.

AOB
==========
none.

The meeting was adjourned at 00:02 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210622/47933827/attachment.html>