[Openid-specs-ab] Spec Call Notes 15-Aug-19

Thu Aug 15 16:21:14 UTC 2019

Spec Call Notes 15-Aug-19

Torsten Lodderstedt
Nat Sakimura
Mike Jones
Brian Campbell

OpenID Connect for Identity Proofing
              Feedback on Identity Proofing draft from OIDF Japan
                           Sent by Naohiro Fujie
                           There was substantial feedback on syntax and location of elements
                           Torsten is filing issues based on the feedback
                           Mike requested that the feedback be sent to the working group list
              Feedback from US mobile carriers
                           Sent by Michael Engan
                           On relationship between claims and evidence
                           Mike requested that the feedback be sent to the working group list
              Tony Nadalin wrote that we should align with ISO 29003
                           Issue #1100 - Analyse ISO 29003
                           Torsten isn't sure what concrete actions should be taken
                           We should have Tony make specific actionable suggestions
              EU minimal viable KYC document
                           PRIORITY GROUP 2 PROPOSAL FOR AN ATTRIBUTE-BASED & LoA-RATED KYC FRAMEWORK FOR THE FINANCIAL SECTOR IN THE DIGITAL AGE
                           Torsten started to read it
                           Torsten plans to file some tickets
                           Nat suggested a conference call with the contact people Stephane Mouy and Eric Wagner
              Torsten plans to publish another version today

OAuth JAR and IANA Registrations
              Ben Kaduk provided feedback on OAuth JAR on collisions between JWT claim names and OAuth request parameter names
"            Brian suggested that rather than linking registries or creating complex rules for IANA to follow that the likely collisions be registered
                           Mike agreed that the registries should not be linked, as there are many JWT claims that will never be OAuth request parameters
                           We can prevent likely collisions by registering claims like "aud", "sub", "iss", "cnf", "jti", etc. as OAuth request parameters
                                         Also "exp", "iat", "nbf" - probably everything in RFC 7519 plus "cnf"
                           We should not need to register OAuth request parameters as JWT claims
                           The only time that conflicts matter is when a JWT claim is being used as an OAuth request parameter
                           Nat stated that the context is clear when the JWT is used as an OAuth request
              Brian stated that OAuth JAR should register the values as OAuth request parameters and explain why they are registered
                           Mike agrees
                           JAR should reserve the names to prevent them being used as OAuth request parameters
                           Nat will do this - Mike offered to review the result

Login with Apple
              Apple appears to be fixing some things one-by-one
              For instance, they have added "nonce"

Open Issues
              https://bitbucket.org/openid/connect/issues?status=new&status=open
              #1099 - Use ICAO codes for nationality and issuer country?
                           These include codes for refugees and international organizations
                           But they are three-letter codes
                           Mike suggested allowing 3-letter ICAO codes when there is no corresponding ISO 2-letter code
              #973 - Core 2 / 3.1.3.7 - azp claim underspecified and overreaching
                           See William Denniss' message "Resolving the `azp` inconsistency" on the next call

Next Call
              The next call is Monday, August 19 at 4pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190815/08b73abb/attachment.html>