[Openid-specs-ab] WG Meeting notes - 9-9-2021

George Fletcher gffletch at aol.com
Thu Sep 9 14:59:00 UTC 2021

OpenID Connect Working Group - 9/9/2021

Mike Jones
Torsten Lodderstedt
David Chadwick
Tim Cappalli
Bjorn Hjelm
Tom Jones
Kristina Yasuda
Edmund Jay
George Fletcher

Drafts that need to be published
* Torsten - will publish a new draft of Verifiable Presentations
* Mike published updates for prompt=create and self-issued
* Edmund to update the claims aggregation draft

Update on Federation Draft
* Editors went through comments that had been received. Roland made updates
   to address the comments. Also replied to the commentors.
* Mike to publish a new Federation draft for the OIDF workshop at EIC on 

Update on Prompt=create Draft
* George gave an update the changes
* Discussion about how the errors are returned. Just an OAuth error 
* -- error is HTTP 400 (Bad Request) error=invalid_request

OIDC Status updates
* RP-Initiated Logout - Mike to update in the next couple days
* Initiating User Registration via OpenID Connect - George has updated 
the draft
* Core Error Code - spec is stable, recommending as final version (WG to 
* Native SSO for Mobile App - George to review any issues, Tim C to review,
   then move to Implementors Draft
* Profile for SCIM - (inactive for years) don't know if it's been used or
* Claims Aggregation - Nat to work with Edmund to publish an updated draft
* Self Issued Identifiers - Tom, no update
* Self Issued OpenID Provider - just published v3 to specs page
* Verifiable Presentations - Torsten to publish an updated draft

Logout specs
* Mike to address issues for other logout Drafts
* Mike recommends taking these logout drafts to final

Moderna working Group
* Took CIBA spec to final, used by FAPI Profile
* Mike - How does this apply to SIOP multi-party flow?

* Multiple-device use case
* -- user on their laptop and wants to pick up verifiable credentials 
from the user's mobile phone
* Torsten to show a demo of the "cross-device flow" in the OIDF workshop 
at EIC

Pull Requests - https://bitbucket.org/openid/connect/pull-requests/
* #46 - Kristina to review and merge
* #44 - Ongoing discussion with DIF. There is an alternate proposal. 
Torsten working on a consolidated draft
* #33 - Torsten has an implementation, Daniel Fett has done a security 
review. Some discussions around the protocol implementation 
(response_mode). Torsten believes it's ready for merging.
* -- Tim C, showing security indicators to users hasn't worked for 
browsers. Wondering how well it will work in this context.
* -- Security considerations will be added to the spec
* -- Torsten: CIBA has similar issues in regards to notifying users
* -- Agreement to merge into current spec
* -- Mike: there is a typo in the PR that needs to be fixed before merging
* -- Torsten to fix in the process of merging the PR -- completed (9/9/2021)
* #40 - Mike to review as it's part of the Federation spec
* #45 - Needs more reviewers. Torsten published the current draft 
without merging this PR

Issues - https://bitbucket.org/openid/connect/issues
* #1269 - Ongoing discussions. Daniel Fett working on security aspects. 
Kristina has summarized the options. Kristina opened a new issue (#1335) 
for the parts of the discussion that extended outside the context of 
security considerations.
* - Discussion around whether cross-device SIOP is suitable for 
* -- needs a threat analysis
* -- would like to understand John Bradley's statement about it not 
being usable for authentication
* -- Tim - believes the key here is that this is not an un-phishable 
* -- Update security considerations to include description of how 
phishing can occur with cross-device SIOP
* -- Daniel Fett to publish a PR with updated security considerations. 
Assigning issue to Daniel
* #1335 -- assigned as open to Kristina
* #1334 -- Placeholder issue to address how ID Tokens and VPs work together
* -- Kristina to pick up this issue

More information about the Openid-specs-ab mailing list