[Openid-specs-ab] Spec Call Notes 6-Jun-19

Mike Jones Michael.Jones at microsoft.com
Thu Jun 6 17:33:05 UTC 2019


Spec Call Notes 6-Jun-19

Mike Jones
Nat Sakimura
Bjorn Hjelm
Brian Campbell
Rich Levinson

Login with Apple
              Apple announced Login with Apple this week at their developer's conference
              Nov Matake has created a Ruby gem for it, and so knows the ins and outs of the protocol
              Apparently it is Connect-like but not exactly Connect
              Nat and Mike have asked Nov if he could summarize how it's the same and different
              Mike found this after the call https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple
              Dick Hart pointed out new app store requirements to use Login with Apple on Twitter
              https://twitter.com/DickHardt/status/1135769039043563520

Authentication Failed Error Code Draft
              Mike sent in a review

OpenID Connect for Identity Proofing
              Mike sent in a review
                           The most important comment was to make it about verified data - not just verified person data
                           Verified person data can still be covered by the draft
              Nat: It's always good to have a general thing - then you can profile it to meet your specific requirements
              Tony wrote that we should align with ISO 2903
              We should also look at the EU minimal viable KYC document
                           PRIORITY GROUP 2 PROPOSAL FOR AN ATTRIBUTE-BASED & LoA-RATED KYC FRAMEWORK FOR THE FINANCIAL SECTOR IN THE DIGITAL AGE

EIC
              The OpenID workshop was very well attended

Transient Subject Identifier Type
              Davide Vaghetti wrote a document on this
                           See https://gist.github.com/daserzw/813023b4e1c04d09beb732ef00d7c9e9
                           People should review his proposal
              There's a mailing list discussion on whether RPs need to be dynamically told that the subject is transient
              Some banks are using the transaction ID as the subject, which is problematic
                           Apparently the banks are reluctant to provide user identity
                           It's especially problematic when people have multiple accounts
                           Brian stated that the Open Banking use case was intended to be pure authorization - not identity
                           This has been discussed in the FAPI working group
              We should explicitly describe the "sub" lifetime expectations in Connect Core
                           Nat filed the issue #1096 - Core - Section 8. Need more subject_type
                           Nat gave the example that passports use time-bound identifiers
                           Nat said that age verification is a possible use case for ephemeral identifiers
              Nat said that identifier unlinkability is described in ISO 27551

EAP
              We're in the public review period for the two EAP specs
                            https://openid.net/2019/04/22/public-review-period-for-two-proposed-eap-implementers-drafts/
                           People are encouraged to review them
              Voting was started
                           However it was blocked by a Ruby application error
                           Mike will have Nov Matake investigate
                                         It turns out to have been caused by a Rails version upgrade, which Nov fixed
                           The voting period will need to be rescheduled

Open Issues
              https://bitbucket.org/openid/connect/issues?status=new&status=open
              #1093 - Extensibility: how do we support extensibility for trust frameworks, evidences, verification methods and id documents?
                           Mike will comment on registries, OpenID, and IANA
              #1094 - How to treat unknown identifiers in claims parameter
                           In general, we ignore not-understood values
                           If a value is required and not understood, and appropriate error can be returned
              #1095 - Registration - 3 - rotate/renew secret
                           RFC 7592 can be used to do this
              #1096 - Core - Section 8. Need more subject_type
                           Mike commented about the existing subject types being persistent

Next Call
              The next call is Tuesday, June 11 at 4pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190606/4fd4f750/attachment.html>


More information about the Openid-specs-ab mailing list