[Openid-specs-ab] Spec Call Notes 17-Aug-20
Mike Jones
Michael.Jones at microsoft.com
Tue Aug 18 00:38:49 UTC 2020
Spec Call Notes 17-Aug-20
Nat Sakimura
Mike Jones
Tom Jones
Kristina Yasuda
Edmund Jay
Bjorn Hjelm
John Bradley
Tobias Looker
OAuth JAR
Mike is continuing to work on a PR addressing IESG and WG comments
Aggregated Claims Draft
Edmund will check this into the Connect repositories and Mike will publish a working group draft
Tom's Draft
https://github.com/KantaraInitiative/DistributedAssurance/blob/master/OpenID%20Self%20Issued%20Identifier.md
Tom is asking Tobias for feedback on his draft
He received from feedback from Markus Sabadello on recovery that he is incorporating
DIF/OpenID Liaison Relationship
Kristina reported that there was a meeting about this at DIF and that people were enthusiastic
DIF needs to send a signed liaison agreement to the OIDF
Balázs Némethi reached out to Don with some questions, which Mike and Nat answered
Kristina has volunteered to be the liaison officer between the two organizations
We should confirm that at the next executive committee call
Other External Organizations
Nat suggested that some of the W3C community groups and WGs might also be pertinent
For instance, the DID WG is pertinent
Mike reported that they're working towards having a Candidate Recommendation
Mike is already serving as an informal information exchange conduit
External Related Specs
ISO 24760 Basic Identity Management spec
ISO 29115 Entity Authentication Assurance
ISO 29003 Identity Proofing
The US is working on NIST 800-63-4
It's open for comments now
Tom commented that 800-63-2 certifications aren't valid for 800-63-3 in healthcare
EIDAS
John said that EU is looking for feedback on EIDAS
Nat is running a panel on identity at a blockchain business conference next week
https://www.bg2c.net/en_index.html
[BG2C Prep-Meeting]Blockchain and Identity
Aggregated Claims Spec
Nat described it as constraining the response from the resource server
Like a UserInfo Endpoint V2
At Identiverse, George Fletcher talked about the possibility of getting a constrained/downscoped access token
George's use case was use in networks of micro-services
There was a discussion on the relationship between roles and scopes
Once the working group draft has been published, we'll ask for people to review it
Use of "sub" in SIOP
Tobias said that RPs use the "sub" field as a stable identifier for the party
That prevents key rotation for SIOP
He would still sign with the "sub_jwk" but break the linkage to the "sub" value
John observed that what Tobias wants is the level of indirection we had for XRDS identifiers in OpenID 2.0
The XRDS document provided a pointer to the discovery information for the IdP
With XRDS you could build a multi-tenant self-issued service
Tobias said that there would be an identifier that would be dereferenced to get the needed cryptographic material
John said that the "sub" would be like that
He said that it would be up to the SIOP whether to use an externally referenced key source or an internal one
Tobias said that we could define a URI that stands for the JWK Thumbprint
John said that a DID could be simply a file on a Web Server
Tobias would expand the OP metadata to indicate the methods supported
Mike said that he wouldn't want RPs to all have to understand DID resolution
John and Tobias agreed, and had ideas about how to accomplish that
Tobias plans to send his presentation deck to the working group
Open Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open
(The call went over time and we didn't spend any time on open issues.)
Next Call
The next working group call is Thursday, August 27 at 7am Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200818/79e19c83/attachment.html>
More information about the Openid-specs-ab
mailing list