[Openid-specs-ab] Spec Call Notes 12-Sep-19
Mike Jones
Michael.Jones at microsoft.com
Thu Sep 12 15:54:06 UTC 2019
Spec Call Notes 12-Sep-19
Nat Sakimura
Bjorn Hjelm
Mike Jones
Brian Campbell
George Fletcher
Bart Geesink - SURFnet
Marcos Sanz - de.nic - Works with Torsten
Torsten Lodderstedt
Hans Zandbelt
Roland Hedberg
OpenID Connect for Identity Proofing
Torsten asked if it was time for progression to Implementer's Draft status
We reviewed the identity proofing issues at https://bitbucket.org/openid/connect/issues?status=new&status=open&component=Assurance
#1107: List other laws or trust services in the introduction
Editorial - request from OIDF Japan
#1106: Link between Evidence and Claims
An extension to the syntax
#1105: Support multiple verified_claims elements
Could be done in a non-breaking fashion later (Torsten and Marcos)
#1100: Analyse ISO 29003
Torsten had a look at the doc, which Tony provided
Torsten doesn't know what specific changes to make
Perhaps Tony and Torsten can go over this together at IIW
#1098: Add verification_score
Suggestion by Adam Cooper - the conversation appears to have gone silent
Would not be a breaking change
#1097: Include Legal Persons
We agreed to address this post Implementer's Draft
#1094: How to treat unknown identifiers in claims parameter
Mike added a reference to the JWS "crit" header parameter
#1093: Extensibility: how do we support extensibility for trust frameworks, evidence types, verification methods and id documents?
We can use Discovery metadata to query for supported features
#1088: register new claims in OAuth Token Introspection Response Registry
This can happen when the document is approved
#1078: Identity Assurance - Incorporate EU/EC KYC Token work
A placeholder to talk to the EC
Nat will make the connections
#1077: Identity Assurance - Need Input from other Jurisdictions
Ongoing work
Hope for feedback from Australia and Africa
#1069: Identity Assurance Section 5.1 on reason for request
There is now a purpose mechanism that satisfies this need
Torsten will propose to close this issue on this basis
#1068: Follow ISO rules (ISO Directive Part 2 and global relevance documents) on the drafting
Nat will do a review on this basis
We decided that it is time for an Implementer's Draft vote
If there are no objections within a week, we'll start the Implementer's Draft review process
SURFnet OpenID Connect Proxy Certification Issues
Bart explained that the SURFnet proxy to SAML IdPs passes policy to the upstream IdPs
They always return an error from prompt=none because they don't know if the user is logged in or not
They always reauthenticate in the max_age=10000 test
https://github.com/openid-certification/oidctest/issues/184
Both of these are causing certification failures because they are not behaving in the expected fashion
Hans expressed the opinion that requiring establishing a session is a strong requirement
George said that the tests for session state are useful
Torsten said that financial institutions are reluctant to use single-sign-on
Mike said that prompt=none and max_age were put in the spec to improve usability
The spec explicitly requires OPs to support prompt=none
All existing certified OPs support sessions for this reason
At most, we should make failing these tests a warning - we shouldn't remove the tests
Torsten, Hans, and George are in favor of being able to test implementations that don't establish sessions
George talked about adding explicit support for session-less IdPs
This is a longer-term possible deliverable
A session-less IdP implies different user-visible behaviors
We will discuss this more on the call in two weeks
Login with Apple
Apple has fixed the spec violations that we pointed out
They have not created a Discovery endpoint
Hans created a PR to updating our Apple status page that needs to be merged
Don Thibeau is working on public communication
Events
Pre-IIW Workshop
https://openid.net/2019/08/09/registration-open-for-openid-foundation-workshop-at-verizon-media-on-monday-september-30-2019/
George will be talking about proposed browser changes and their possible impacts on OpenID Connect
TPAC
George is concerned about the "is-the-user-logged-in" proposal
https://lists.w3.org/Archives/Public/public-webappsec/2019Sep/0004.html
FDX Developer Workshop
Don Thibeau gave a presentation on the Foundation and Certification
Bjorn gave a presentation about CIBA
OAuth JAR
Nat is waiting for a pull request from Torsten
Open Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open
We only covered the Identity Assurance issues
Next Call
The next call is Monday, September 16 at 4pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190912/d3561e77/attachment.html>
More information about the Openid-specs-ab
mailing list