[OpenID board] February 15, 2017 OpenID Board Meeting Minutes

Mike Jones Michael.Jones at microsoft.com
Thu Mar 2 15:49:25 UTC 2017

February 15, 2017 OpenID Board Meeting Minutes

Don Thibeau, Executive Director
Mike Jones
Nat Sakimura
Brian Berliner
Adam Dawes
Tony Nadalin
Bjorn Hjelm
Prateek Mishra
Tushar Pradhan
Pamela Dingle

Present on the Phone:
John Bradley
Debbie Bucci
George Fletcher

Dale Olds
Masato Obata

Eric Sachs, Google
Ashish Jain, VMware
Tom Smedinghoff, Locke Lord LLP
Mike Leszcz, OIDF (on the phone)

1.       Election of Officers
A proposal was made to re-elect the officers of the OpenID Foundation.  They are Nat Sakimura as chairman, Adam Dawes as vice-chairman, John Bradley as treasurer, Mike Jones as secretary, and George Fletcher as community liaison.  John acknowledged that being treasurer of OIDF may or may not disqualify him to become treasurer of OIX, pending deliberations of the OIX board.

The OIDF officers were unanimously re-elected.

2.       Corporate Board Representative
The board welcomed Ashish Jain of VMware, who was elected to be the corporate board representative starting on February 17, 2017.

3.       Website Privacy Policy
The EU General Data Protection Regulation (GDPR) will affect the OpenID Foundation.  This motivates updating our Website privacy policy.  The new privacy policy is intended to comply with the GDPR.  Nat had sent some comments on the new privacy policy, which were incorporated.  John moved and Adam seconded that the new privacy policy be approved.  The motion passed unanimously.

Some of the openid.net Web site procedures will need to be updated to add explicitly granting consent.

4.       New OIDF Bylaws, Agreements, and Policies
Proposed changes to the bylaws, member agreement, contribution agreement, trademark usage policy, directed funding policy, and IPR policy have been circulated.  At an executive committee call, a decision was made to simplify some of the procedural aspects of the IPR policy to make contributions simpler and the procedures more closely aligned with the ways we have been operating in practice.  No changes to the intellectual property rights of any participants are being planned.  Some discussions on these documents are still ongoing.  Mike Jones intends to review them and have Microsoft's standards lawyers also provide feedback, as they have done in the past.

5.       Certification Update
Mike Jones gave an update on the OpenID Certification program.  The RP Certification program was publicly launched on February 14, 2017 with this announcement: http://openid.net/2017/02/14/openid-connect-relying-party-certification-adoption/.  Exceeding expectations, 12 RP implementations have been certified while still in the pilot phase of the program.  Meanwhile new OP certifications continue coming in at a rapid pace.  The certification program has become a recognized center of excellence, attracting people to both OpenID Connect and the OpenID Foundation.

The foundation has entered into a contract with Hans Zandbelt to work alongside Roland Hedberg in maintaining and operating the certification program.  His initial deliverables are about ensuring that all aspects of the program are sufficiently documented that the program's continuity is not dependent upon any knowledge only one person might currently have.

New certification profiles are planned, such as one for the form post response mode.  Hans' second deliverables are about ensuring that the means of adding tests are well-documented and working with Roland to add some of these new tests.

Tony Nadalin asked whether we have data on what value the certification program has provided to participants.  Mike Jones reported that we have gathered that data by surveying existing parties who have certified.  We will use this data in future communications about the value of the certification program.  Numerous people said very positive things about the certification program both improving the quality of their implementations and boosting the reputation of their implementations.

Certification training has been proposed for both the Cloud Identity Summit and possibly also at a future Japanese OpenID event.

Don reported that he has been having discussions with Brett McDowell of the FIDO Alliance about possible certification coordination.

[Debbie Bucci joined on the phone at this point]

Discussions have been ongoing with the HEART working group chairs about the working group's possible future certification needs and the possibility of folding some of the testing work that was done for HEART into the foundation's certification program.

For scalability, maintainability, and branding reasons, the foundation has and plans to have a single certification program, with the testing software structed to enable adding new certification profiles.  For instance, eventually new certification profiles for MODRNA, iGov, EAP, HEART, FAPI, and other sets of specifications should be made available by selecting appropriate configuration information in the testing tool, just like different OpenID Connect certification profiles are selected now.  Nat asked about adding additional certification tests for FAPI in the future.

Tony suggested possibly having certification work occur at the IETF hackathons.

Mike reported that we are now featuring certified OpenID Connect implementations at http://openid.net/developers/certified/.  This is intended to help deployers identify and choose certified implementations and to help promote these implementations to developers.

6.       Account Chooser Working Group
Adam reported that the Account Chooser working group has been rechartered as the Account Chooser & Open YOLO (You Only Login Once) working group.  This is intended to open up credential managers other than just Google's to participate in the Account Chooser/Open YOLO experiences.  Google has developed software for this on Android.  They plan to contribute this to the working group.

Tony wants to understand the relationship between this work and the W3C Credential Management work.

Adam expects the rechartering to bring new participants to the work, including some password management vendors.

7.       FastFed Working Group
Dick Hardt has taken a different job within Amazon and plans to step down as editor of FastFed.  Prateek stated that Oracle has a broad interest in this area.  We talked about the need for new leadership and reinvigorated involvement in the working group.  This will be taken up within the working group.

8.       OpenID Connect Working Group
The certification program status had already been reported.

The logout specifications are currently within the 45-day public review period preceding a vote to approve them as Implementer's Drafts.  See the announcement at http://openid.net/2017/02/04/review-of-proposed-implementers-drafts-of-openid-connect-logout-specifications/.

The OpenID Connect Federation draft is being implemented by several federation experts in Europe and interop testing is occurring.  The learnings from these implementations and interop tests will be fed back into the specification in the next revision.

The OpenID Connect Profile for SCIM Services draft was submitted in June 2016.  It has not yet received significant feedback from the working group.

9.       Enhanced Authentication Profile (EAP) Working Group
The Token Binding for OpenID Connect draft has helped inform the IETF Token Binding work, which is nearing completion.  Brian Campbell has been working on an end-to-end Token Binding implementation.

The EAP ACR Values draft has not yet received significant feedback from the working group.  Several FIDO participants have expressed interest in using this specification.

10.   Financial API (FAPI) Working Group
The working group is meeting every week.  They have to navigate a complex set of international requirements.  The read-only security profile is now an Implementer's Draft.  It is intended to meet requirements of US and EU regulations, among other jurisdictions.  The Japanese Banking Association is recommending the use of it.

The data schema work is much more complex.  Tax and banking regulations are different in each country, resulting in intrinsic differences.  The working group expects to have a core schema with a registry for extensions.

They are now working on Part 2 - the read/write security profile.  They expect it to be done by May.

[Debbie Bucci had left the call by this point]

11.   iGov Working Group
The iGov working group is meeting regularly.  They are planning for an Implementer's Draft vote soon.

12.   MODRNA Working Group
Torsten decided to leave Deutsche Telekom for a startup.  Bjorn Hjelm has taken over as working group chair.  They are preparing for Implementer's Draft votes for four specifications.

They are in regular discussion with the GSMA.  MODRNA pointed out ways that some of the Mobile Connect features broke OpenID Connect.  MODRNA is proposing alternative Connect-compatible approaches to provide this functionality.  They are planning for a workshop in May.  They expect that once the MODRNA specs are Implementer's Drafts, the GSMA will reference them and they will adopt them once they are Final Specifications.

There is MODRNA work on discovery.  The GSMA is adopting Dynamic Client Registration and the use of Software Statements.

There are several new active working group participants.

13.   Risk and Incident Sharing and Coordination (RISC) Working Group
There will be a face-to-face RISC meeting tomorrow at Oracle that looks like it will be well attended.  Google has been building out their own RISC infrastructure.  There will be discussions on how to manage subscriptions and registration.

Google continues collaborating with Microsoft on data sharing.  The working group has not yet worked on multi-lateral sharing agreements based on trust frameworks.  They are focusing on getting the data formats defined and getting sharing bootstrapped.

14.   Website Update
We successfully migrated the membership site off of an 8-year-old Ruby version onto a current Ruby version.  Several functions making it easier to administer corporate and sustaining memberships were added at the same time. Nov Matake has agreed to take over the OpenID website operation functions that Darin Richardson has been doing.  The transition from Darin to Nov is under way.

15.   Acknowledgements and Introductions
Don thanked Microsoft for hosting this board meeting.  Don thanked Google for their plans to host the pre-IIW workshop on May 1st.  Don thanked Bjorn for stepping up to lead the MODRNA work.

Ashish Jain of VMware introduced himself.  He was elected to be the corporate board member for the next year.

Tushar Pradhan of PayPal introduced himself.  He leads product management at PayPal for identity.  They plan to host the OpenID workshop on October 16th preceding the Internet Identity Workshop.

16.   Events: Cloud Identity Summit, European Identity and Cloud Conference, etc.
Don is organizing a standards track at CIS and a certification track.  Don is also organizing presentations for EIC, including for the OpenID Workshop there.

There was substantial interest in OpenID at Oracle World.

17.   Financial Update
We are in sound financial shape.  There is a detailed report in the board packet.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-board/attachments/20170302/3b89937e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: February 15, 2017 OpenID Board Meeting Minutes.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 28812 bytes
Desc: February 15, 2017 OpenID Board Meeting Minutes.docx
URL: <http://lists.openid.net/pipermail/openid-board/attachments/20170302/3b89937e/attachment-0001.docx>

More information about the board mailing list