[Openid-specs-ab] SIOP Special Call Notes 22-Jul-21
Mike Jones
Michael.Jones at microsoft.com
Thu Jul 22 15:11:23 UTC 2021
SIOP Special Call Notes 22-Jul-21
Kristina Yasuda
Mike Jones
Brian Clinkenbeard
Stephane Durand
Jo Vercammen
Tony Nadalin
Justin Richer
Adam Lemmon
Adrian Gropper
Jo Vercammen
Bjorn Hjelm
David Chadwick
Andre Barnard
Pamela Dingle
Events
OpenID Workshop at EIC in Munich, Monday, September 13, 2021
https://www.kuppingercole.com/events/eic2021
Open SIOP Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open&component=SIOP
#1264: Include input_descriptor `id` in OIDC4VP response and request
David Chadwick spoke to the efficiencies gained by having the "id"
He thinks it should be optional
But several implementations don't use it
Mike said that searching small data structures is not a big deal
This is related to https://github.com/decentralized-identity/presentation-exchange/issues/231
David talked about schemas and types for VPs
Brian said that processors can add identifiers to sections when processing
There could be identifiers for users involved
#1256: Reconcile the mapping/processing between input descriptors and submitted inputs
We discussed the liaison relationship between the OIDF and DIF
Kristina described how PE is being profiled to work well with Connect
#1267: successful client registration response
Mike didn't remember the purpose for this text
We will discuss it on a regular Connect call
#1207: Custom URL scheme clarification needed
We will close this after confirming with Oliver
#1210: SIOP V2: openid:// should not be required but an optional URI scheme
We will close this
Open SIOP PRs
https://bitbucket.org/openid/connect/pull-requests
#35: Issue 1262 did-based sub and sub_jwk
We agreed to merge this PR
#36: Issue #1265, nonce mandatory
This is ready to merge
#37: Cross Device SIOP
Kristina asked if people had ideas to make a cross-device flow more secure
Mike asked whether this should be in a different spec, given its phishable nature
Bjorn said that MODRNA has multi-device flows using CIBA
The question is how to bind the consumer device and the authenticator device
In the MODRNA case, the mobile phone will be the authenticator device
Bjorn said that nothing has been put into the spec to achieve the binding
Mike said that CIBA is OK for payment because the payment terminal is inside the security boundary
The same does not apply to random QR codes
Stephanie and Brian said that payment terminals are not always secured
Brian talked about how one shouldn't use phones in proximity to gas pumps
There are also problems where phones are prohibited and/or when there is no service
Brian said that fallbacks need to be in place when the phone can't be used
Brian said that security depends upon participants vetting your identity
The end terminal can't necessarily be trusted
Kristina will open an issue about security considerations for cross-device flows
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210722/996c7eec/attachment.html>
More information about the Openid-specs-ab
mailing list