[Openid-specs-ab] Spec Call Notes 14-Dec-20
Mike Jones
Michael.Jones at microsoft.com
Tue Dec 15 00:23:16 UTC 2020
Spec Call Notes 14-Dec-20
Mike Jones
Nat Sakimura
John Bradley
Tony Nadalin
Kristina Yasuda
Brian Campbell
Adam Lemmon
Tim Cappalli
Kim Cameron
Edmund Jay
Tom Jones
Tobias Looker
Scope of Initial SIOP V2 Work
Discussion brought about in part by contributed SIOP V2 Draft
https://bitbucket.org/openid/connect/src/master/openid-connect-self-issued-v2-1_0.md
Also related to the SIOP Requirements draft
https://bitbucket.org/openid/connect/src/master/SIOP/siop-requirements.md
Agreement on areas that are in scope:
Ability to have optional level of indirection to get self-issued keys
Optionally addressing keys by reference rather than by value
Ability to rotate keys for the same subject
RP Registration
Mike: The RP is going to have to be able to say things to the OP about what it supports
Such as cryptographic algorithms and possibly identifier types
Tobias agreed
Tobias suggested that we use request-bound client registry - to allow for a level of indirection
OP Discovery
Mike: The OP is going to have to be able to say things to the RP about what it supports
The one-size-fits-all approach in SIOP V1 didn't hold up well over time
Tom pointed out that WebID has a metadata endpoint
He said that we could still get changes into that if we act quickly
Tobias: Some SIOP providers that are PWAs could still use .well-known based discovery
May be an implementation requirement for some but not others:
One of the ways to optionally address keys by reference is a DID
Scopes of work that may apply more broadly than SIOP:
Account recovery - when an ID becomes invalid
John notes that a similar thing is being proposed in FIDO2
John called it a subject proof mechanism
John said that's easier if you still have access to the old subject
The new subject needs to be signed by the old subject
Mike said that this is related to the OpenID 2.0 to OpenID Connect Migrating Spec
That was separable work from the core protocol
One could imagine multiple such mechanisms trusted by RPs
John and Mike said that this is related to the MODRNA account porting work
John said that rotating keys is separate than rotating identifiers
This is bigger than just SIOP as it also applies to third-party issued identities
Portable Identifiers
Could apply to both third party OPs and self-issued OPs
John agrees that 3rd party versus self-issued is an artificial distinction
Tony has an issue with understanding what portable identifiers means
Tobias suggested that we talk about cryptographically verified identifiers
Kim suggested that we call them domain-free identifiers
Like account migration, this is bigger than just self-issued
John likes visualizing free-range identifiers (like chickens)
Kim said that they're not scoped to walled gardens
Mike said that he misses his i-names
Kim said that they would have to be cryptographically provable
John said that the key distinction is whether the individual or the IdP controls the key material
Related Discussions
Definitions
Tobias asserted that he's increasingly viewing SIOP as an umbrella term for additional extensions
Kristina said that she views SIOP as OPs that are not ASs
Downstream Authentication
Tony stated that he has an issue with downstream authentication
He thought that it wasn't necessarily in scope for Connect
John asked Tony to clarify
Tony said that there's a difference between proving that you own an identity and using it to authenticate
Mike said that proof of ownership is a precondition for authentication but doesn't imply it
Claims Binding
Nat said that we should discuss binding claims to presenters
John agreed with that
Nat said that in the Claims Aggregation draft, the issuer of the claims can include the subject identifier
Tom said that that doesn't work for his use cases
Nat said that this is one way to do it
Tobias agreed that there are multiple solution options, as did Tony
Tobias said that claims binding includes both the process of establishing the binding and how they are presented and authenticated
Tony said that he would stay away from authenticating
RP-Initiated Login Features
We ran out of time to discuss this
Events
We ran out of time to discuss this
External Organizations
We ran out of time to discuss this
Next Call
The next call is on Thursday, December 17th at 7am Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20201215/b7d6828e/attachment.html>
More information about the Openid-specs-ab
mailing list