[Openid-specs-ab] Spec Call Notes 6-Dec-21
Mike Jones
Michael.Jones at microsoft.com
Tue Dec 7 06:06:07 UTC 2021
Spec Call Notes 6-Dec-21
Mike Jones
Nat Sakimura
Kristina Yasuda
Tony Nadalin
Tom Jones
Gail Hodges
Vittorio Bertocci
Edmund Jay
David Waite (DW)
Proposed Implementer's Drafts
As decided on the 2-Dec-21 call, we're conducting a working group review of these specs between now and Friday:
SIOPV2 https://openid.net/specs/openid-connect-self-issued-v2-1_0.html
OIDC4VP https://openid.net/specs/openid-connect-4-verifiable-presentations-1_0.html
The editors will incorporate text addressing comments received between now and then
Updated versions will be published and the Foundation-wide Implementer's Draft review will begin
Nat requested that Mike send individual notifications of these review periods
Kristina merged multiple editorial PRs for OIDC4VP
DW's PR #57 on Encrypted ID Tokens for SIOP should be considered
Torsten's PR #45 on Additional Security Considerations for OIDC4VP should be considered
Kristina will follow up with Torsten
ISO PAS Submission
Gail noticed that FIDO has been taking their specifications through the ISO Publicly Available Spec process
Gail then asked Nat about it, who said that we are interested in it
Gail believes that this is a bigger effort than a typical volunteer task
Mike asked whether we can guarantee that spec changes will not happen
Tony said that it depends
Tony said that FIDO is submitting to ITU-T - not ISO
Tony said that nothing has come up on ISO CS1 or SC17
Nat said that we first need to get ISO PAS submitter status with the secretariat
Tony said that ITU-T PAS submission requires reformatting into ITU format
Nat said that ISO PAS submission doesn't reformat and submission is pass/fail
Tony will be the SC17 liaison with FIDO
FIDO's liaison agreement with ISO is in process
Our Class C liaison with ISO SC17 is being voted on now
Nat said that obtaining PAS submission status isn't that much work
It's sent to the JTC1 secretariat
Nat said that for the submission to pass, we probably have to be in touch with national bodies to ask them to vote yes
Nat said that after submission, there may be pushback from the secretariat
Nat said that we have the equivalent of PAS submitter status in ITU-T
A4 and A5 status
Tony said that he's done that process before
Tony said that we would submit to ITU-T Q10 - Security and Identity
Mike asked how we would decide whether to submit to ISO or ITU-T
Nat said that we can do both
Nat said that ISO is important due to mDL
Nat said that ISO would be easy for FAPI, since the FAPI specs are already in ISO format
We agreed to try to find someone to get ISO PAS submitter status for us
Preferably someone already working with both OpenID and ISO
Gail would hate to see adoption blocked in some places due to lack of administrative steps on our part
Open Pull Requests for Proposed Implementer's Drafts
https://bitbucket.org/openid/connect/pull-requests/
#57: Further specify how to use encrypted id_token_hint values
Mike reviewed the PR and made suggestions
It should follow https://datatracker.ietf.org/doc/html/rfc7519#section-5.3
DW agreed to revise accordingly
Recertification
Gail said that some governments are requiring regular recertification of FAPI deployments
For instance, requiring annual recertification
Gail asked if the Foundation should have a viewpoint on recertification, which she thought could be valuable
It's a problem when the certified product and current product are quite different
This issue was discussed by the board strategy task force
We'd like to define our viewpoint during 2022
One possibility is date-stamped certification logos
Mike talked about certifications representing a statement that was true at a point of time
He said that we could add comments about recertification in the FAQ
He said that we should not try to mandate recertification in any way
Vittorio supports issuing badges with the year of the certification as an incentive for recertification
He is worried that customers may not look into the certification dates themselves
He would not support forcing anyone to recertify
Mike said that the current OpenID Certified logo is rarely used
So dated logos might be great but only if actually used
Vittorio said that we should do more to promote the use of the certification logo
Gail wants to include this in our marketing strategy
We ran out of time for these agenda items
Multitenancy
Multiple-Device Flows
Open Pull Requests
https://bitbucket.org/openid/connect/pull-requests/
We ran out of time to consider pull requests
Open Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open
We ran out of time to consider open issues
Next Call
The next call is the SIOP Special Topic call on Thursday, December 9th at 7am Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20211207/8f5ff0a2/attachment.html>
More information about the Openid-specs-ab
mailing list