[Openid-specs-ab] Spec Call Notes 26-Apr-21
Mike Jones
Michael.Jones at microsoft.com
Tue Apr 27 00:15:40 UTC 2021
Spec Call Notes 26-Apr-21
John Bradley
Mike Jones
Tom Jones
Kristina Yasuda
Tim Cappalli
Adam Lemmon
Dmitri Zagidulin
David Waite (DW)
Vittorio Bertocci
Edmund Jay
Jeremie Miller
Tobias Looker
Nat Sakimura
Learnings from IIW
We had a poll among three choices at the SIOP session
10 for using individual claims for W3C VC objects
0 for using aggregated/distributed claims syntax
8 for using a different token type for them
As an aside, Tom reported on DIF work using W3C VC objects
Kristina suggested that we also harmonize with the DIF work on the topic
We proposed claim names at https://openid.bitbucket.io/connect/jwt-claims-for-vc-objects-1_0.html
We could register those soon, once we have working group consensus to do so
Vittorio thought that DW's session about logout without cookies was useful
He said that while DW's 4-year-old contribution was performant, it could be simpler and less performant
Mike said that distributed state management is hard
DW said that in the face of privacy, all you can have is identifiers and revocation
There could be a split between message delivery mechanisms and APIs for doing logout
DW said that a simple thing would be to put a squid proxy in front of the OP
We would need an API that HTTP caching works with
For instance, a revocation yes/no endpoint
DW wouldn't recommend a distributed systems approach now because of the privacy issues with it
He doesn't want revocation be the point at which I lose privacy
He said that communication between the OP and individual RPs is perfect
DW said that there's a distinction between logout and an assertion that the RP needs new tokens
Vittorio said that there was a good discussion with Sam Goto
Notes from the discussion: https://docs.google.com/document/d/1UsrQ6lgImgYfgR_mCtS-MWT9ZBR0ZbkQGZP3oMzTDP4/edit
They discussed different logout mechanisms in use, including image tags, iFrames, postMessage, etc.
Sam said that he could image carving out an exception for image tags, since they have limited capabilities
iFrames are much tougher to control
Mike pointed out that you can't do multi-level logout with iFrames
Vittorio said he understand that, as Auth0 operates intermediaries
But Vittorio also said that if we can limit the breakage, that's better than breaking everything
Vittorio said that the scenarios they're working on currently are about when you don't have third-party cookies
https://github.com/IDBrowserUseCases/docs
Use Cases for SIOP Session
Vittorio recalled a use case on using VCs for alumni to avoid licensing costs
Tony Nadalin had talked about using SIOP to present Mobile Driver's Licenses (mDL)
This avoids "calling home" at presentation time
Vittorio said that some use CIBA for this
There wasn't overwhelming demand for these use cases
Kristina said that Japanese universities are often merging, which could make issuance difficult
Tobias said that there's a number of concepts that have been lumped together
Having more precision in our conversations would be helpful
Kristina said that SIOP means something very specific
She said that use of VC objects is another thing
And portable identifiers are another thing
SIOP means an IdP that you control
Vittorio said that he thinks that some people don't understand that
It's not a general bridge between OpenID Connect and decentralized identity
Nat and Edmund led a discussion on claims aggregation
The presentation used was https://docs.google.com/presentation/d/1w-rmwZoLiFWczJ4chXuxhY0OsgHQmlIimS2TNlce4UU/edit?usp=sharing
They proposed ways of enabling Claims Providers to be practically used
Kristina reported on the use of signed sets of claims
They discussed whether it's OK to use access tokens at both the UserInfo Endpoint and other endpoints
On the call, we had a discussion on use cases for distributed and aggregated claims
Vittorio pointed out the Azure AD large groups use case
Nat said that the primary use case for distributed claims is access across different claims providers
Tom talked about the need for using QR codes and size limitations
Nat said that when we were designing OpenID Connect, we were very conscious of size limitations
Tom said that the need for Covid credentials isn't abstract
Vittorio said that at IIW, many people were complaining that their Covid credential proposals were being ignored
Tom reported that the EU parliament was meeting about Covid credentials tomorrow
Vittorio agreed that the IATA Covid credential proposal is solid
Tom posted SIOP chooser slides with minutes from IIW
https://docs.google.com/presentation/d/1OaMecHecTUexv1skJZoYzJoHKYH8H03REFpFstLRjPg/edit?ts=6087487b#slide=id.gd2c45a9dcd_2_75
Modified SIOP Special Call Schedule
We will be alternating Pacific-friendly and Europe-friendly calls every two weeks
The next Europe-Friendly call will be Tuesday, April 27 at 7am Pacific Time
https://global.gotomeeting.com/join/191527645
Nat said that that timeslot may conflict with the MODRNA call
We'll discuss the preferred call schedule during the call in 14 hours
Mike said that the other possibility is alternating with the existing Pacific-friendly Connect call time
This would next be Thursday, May 6th at 7am Pacific Time
Open Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open
We ran out of time to get to this
Next Calls
The next regular Connect call is scheduled for Thursday, April 29nd, 2021 at 7am Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210427/92011474/attachment.html>
More information about the Openid-specs-ab
mailing list