[Openid-specs-ab] SIOP Special Call Notes 18-May-21

Mike Jones Michael.Jones at microsoft.com
Wed May 19 00:34:04 UTC 2021 

SIOP Special Call Notes 18-May-21

Kristina Yasuda
Mike Jones
Tom Jones
David Waite (DW)
Tony Nadalin
Edmund Jay
Tobias Looker
John Bradley
Adam Lemmon
Tim Cappalli
Jeremie Miller
Dmitri Zagidulin

Trust Frameworks and SIOP
              DW said that OpenID Connect Federation Entity Statements have interesting properties for SIOP
              He noted that SIOPs may not have a location for hosting metadata
              OpenID Connect Federation defines client metadata and automatic registration
              David is concerned if SIOP ID Tokens could be confused for 3rd Party ID Tokens
                           This might enable injection of false/confusing metadata
              Tobias asked about just-in-time registration
                           Kristina pointed out the OpenID Connect Federation defines Automatic Registration
                           https://openid.net/specs/openid-connect-federation-1_0-14.html#rfc.section.9.1
              Tom talked about user choice of trust authorities
              DW is concerned with the "registration" request parameter being used in unintended ways
              DW said that rather than the client_id being the redirect_uri, it could be a reference to metadata, like in OpenID Connect Federation
              Mike suggested that people to familiarize themselves with OpenID Connect Federation
                           Particularly, Entity Statements and Automatic Registration
                           He noted that there will be a call for working group review of the whole spec in a day or so
                           This will be in preparation for a new Implementer's Draft vote

OpenID Connect for W3C Verifiable Credential Objects
              This spec was adopted as a working group document yesterday
              The authors propose renaming it to "OpenID Connect for Verifiable Presentations"
                           This reflects that it does not directly represent Verifiable Credentials - only Verifiable Presentations

User Consent Issue
https://bitbucket.org/openid/connect/issues/1215/siop-requires-user-consent
              Tom asked whether SIOP V2 is standalone or whether it depends upon OpenID Connect
                           It depends upon OpenID Connect

Issuer Identifier Issue
https://bitbucket.org/openid/connect/issues/1208/siop-v2-dynamic-iss-claim-ref-required
              Adam spoke to using "iss" to identify the wallet
              Tobias said that the provider deployment technology would be changed
              Tobias said that understanding the provider identity is relevant to the trust model
              Kristina asked about discovery
                           Tobias said that it's not a discovery problem, it's about associating to a provider with a distributed deployment
              Mike asked for engineering clarity on the objects we're defining and using
                           He asserted that if a provider is hosted by a third party, it's not self-issued - at least in a protocol sense
                           We may want to define additional characteristics of new kinds of third-party issuers meeting our needs
              DW talked about possibly having chains of issuers and not using https://self-issued.me and openid://
                           We will need to codify how to achieve the properties that we want
              DW said that we shouldn't use the "iss" value to distinguish between different pieces of software
                           There are both information content issues and correlation issues
              Dmitri said that issuers shouldn't represent software instance IDs
                           In Solid, every user has their own server
                           He considers those self-issued, even though they're Web accessible
              Mike said that we need a clear architectural approach
                           It needs to encompass both third party versus on your device OPs and OPs fully controlled by you in both cases
                           They may have different protocol implications even when conceptually grouped
              DW said that we need to define policy elements
                           In part, to prevent things from being invoked without the capability to behave usefully
              Tobias reflected upon PWAs executed by browsers
                           He agreed with Dmitri's and DW's architectural statements
              Kristina asked whether there were objections to not using self-issued.me
                           Mike said that the "iss" currently either identifies the hosted issuer or that it is not hosted
                           Until we have a clearly understood architecture, we should leave this invariant in place
                           John agreed with Mike
                           Dmitri observed that we're using "iss" for protocol routing purposes
                           John said that it has to do with the relationship of the signing key to the subject
                           Mike said that unless the "iss" is self-issued.me, we know that we can get metadata at "iss"/.well-known/openid-configuration
                           Tobias said that wallets could use Web domains to enable hosted metadata
                           John said that key management could potentially be independent of deployment model
                                         We should tease these apart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210519/f5d9b03e/attachment.html>

More information about the Openid-specs-ab mailing list