[Openid-specs-ab] SIOP Special Call Notes 16-Dec-21

[Mike Jones]

SIOP Special Call Notes 16-Dec-21

Kristina Yasuda
Kenichi Nakamura
Thomas Bellebaum
David Chadwick
Daniel Fett
Martin Schanzenbach
Petteri Stenius
Mike Jones
Tom Jones

Mike described how to join the working group by signing the IPR declaration
              Instructions at https://openid.net/wg/connect/

SIOP and OIDC4VP Implementer's Draft Process
              We have merged several PRs addressing review feedback received
              3 remain open
              We plan to start the Foundation-wide review Friday afternoon

Open Pull Requests for the Proposed Implementer's Drafts
              https://bitbucket.org/openid/connect/pull-requests/
              PR #90: addressing DW's comments in Issue 1372
                           We'd asked DW to review, but this appears to be ready to merge
              PR #91: addressing Edmund's siop-v2 comments sent to the ML
                           Kristina to address Edmund's comment, then merge
              PR #92: added text and examples on other credential formats
                           This appears to be ready to merge

Security Considerations for SIOP v2
              Daniel Fett plans to write these in the next day
              #1269: Add Security Considerations for Cross-device SIOP

Open Issues
              https://bitbucket.org/openid/connect/issues?status=new&status=open
              #1371: Simplify passing the public key to the RP
                           David proposed sending the key in a base64url-encoded JWK rather than sub_jwk
                           Mike said that JWKs can have more fields than just the key and the order can vary
                                         Whereas the JWK Thumbprint results in a stable subject identifier
                           Mike said that using attributes to identify the end-user enables attacks
                                         For instance, an e-mail address might be reassigned to a different person
                           David wants to send ephemeral keys (like SAML initially did)
                           Daniel said that if you only have ephemeral keys, then SIOP is just a transport mechanism
                           There was a multi-faceted conversation about user identification
              #1375: Credential Issuance: `retry_in` parameter for deferred credentials
                           This would specify a polling period
                           Kristina suggested a "retry after" value instead
                           Mike would like us to support long outstanding requests rather than polling

Holiday Call Schedule
              We will take the next two weeks off
              The next SIOP special call will be January 6, 2022 at 7am Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20211216/77d78fa0/attachment.html>