[Openid-specs-ab] Spec Call Notes 10-May-21

Mike Jones Michael.Jones at microsoft.com
Tue May 11 00:44:10 UTC 2021


Spec Call Notes 10-May-21

Mike Jones
Pamela Dingle
Nat Sakimura
Tony Nadalin
Tobias Looker
Adam Lemmon
David Waite (DW)
Vittorio Bertocci
Jeremie Miller
Kristina Yasuda
Tim Cappalli
Tom Jones
Edmund Jay
Brian Campbell

OpenID Connect for W3C Verifiable Credential Objects
              http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210505/a198527a/attachment-0001.pdf
              The SIOP special call unanimously recommended adoption as a working group document
              There was a discussion of the call for adoption last week
              https://bitbucket.org/openid/connect/wiki/Connect_Meeting_Notes_2021-05-06_Atlantic
              Nat made a call for adoption
                           See https://bitbucket.org/openid/connect/issues/1229/adoption-of-the-openid-connect-for-w3c
                           There's been discussion on the list but no comments in the issue yet
              There's been a terminology discussion on the terms "claim" and "credential"
                           Use of the term "credential" in the W3C spec conflicts with its use in Connect
              Daniel Buchner filed a related issue requesting use of Presentation Exchange
              https://bitbucket.org/openid/connect/issues/1230/adopt-presentation-exchange-as-an
                           Kristina said that there would need to be an OpenID Connect profile of it to use it interoperably
              Kristina wrote a note explaining the relationships of the draft to other existing specifications
                            http://lists.openid.net/pipermail/openid-specs-ab/2021-May/008259.html
              Nat also discussed the relationship to the Claims Aggregation draft
                           https://openid.net/specs/openid-connect-claims-aggregation-1_0.html
              Tony doesn't like there potentially being multiple ways to do claims aggregation
                           Tobias share's Tony's concern
                           Tony would like to see unification with the Claims Aggregation draft
              Jeremie talked about presenting proofs that you have a set of claims
                           He sees that as being different than Claims Aggregation
              Tobias said that sometimes you need to request and obtain binding information for Verifiable Presentations
              Kristina said that SIOP doesn't have endpoints to enable negotiation, so an extension would be needed
              Mike spoke in favor of adoption
                           He said that there's consensus for defining mechanisms for requesting and receiving Verifiable Presentations
                           This draft is the result of a few months of discussion on doing this
                           He said that this seems like a reasonable starting point
                           He also expressed a preference for doing the work in the working group, with IPR protections
              Nat said that this would be harmonized with the Claims Aggregation work
              Nat said that we'd need to wait until next Thursday to formally adopt the draft
              Tony asked whether we couldn't just not do this and use Presentation Exchange instead
                           Tom said that Presentation Exchange does define some protocol behaviors
                           Mike said that we should also be aligning with use of the existing "claims" request parameter
                                         Such as how it's used by OpenID Connect for Identity Assurance
              Kristina said that W3C Verifiable Credential Objects could add support for Presentation Exchange as an option
              Kristina explained that the scope of this draft is greater than SIOP, since it could be used with third party OPs

Browser Interactions Call Report
              Tim reported that some progress is slowly happening
              Heather Flanagan's workshop should be scheduled soon but it isn't finalized yet
                           The target dates are May 25th and 26th
              There was a discussion on possibly tagging cookies as being session cookies
              There's a SAML logout use case being written
              Vittorio reported that there's been discussions on lessons learned from the Mozilla Persona experience
                           He said that he doesn't see how browsers can expect the server-heavy flows to stop happening
                           He said that a possible principle is that the browser can't be in the middle of all identity interactions

OpenID Connect Federation
              Roland Hedberg has made the changes requested and the implementers have signed off on them
              Mike will review and publish a new draft
              This will probably be the basis of the next Implementer's Draft vote

The new OIDF Executive Director Gail Hodges started on May 1st
              https://openid.net/2021/04/28/welcoming-gail-hodges-as-our-new-executive-director/

OAuth Interim Call on HTTP Signing
              Nat reported that Justin Richer gave a status report on the HTTP signing work
              There was an agreement that new OAuth HTTP signing work would need a new call for adoption
                           This would be a profile of the signing work in the HTTP working group
                                         https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-message-signatures
              https://datatracker.ietf.org/meeting/interim-2021-oauth-10/materials/slides-interim-2021-oauth-10-sessa-http-message-signing-00
              Tobias reported that the signed HTTP elements would be canonicalized before signing
              DW reported that they are planning to reuse JOSE algorithms
                           They provide a key ID but not an algorithm

Open Issues
              https://bitbucket.org/openid/connect/issues?status=new&status=open
              We ran out of time to get to this

Next Calls
              The next regular Connect call is scheduled for Monday, May 17th at 4pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210511/f81088dd/attachment-0001.html>


More information about the Openid-specs-ab mailing list