[Openid-specs-ab] Spec Call Notes 17-Jun-21
Mike Jones
Michael.Jones at microsoft.com
Fri Jun 18 22:41:01 UTC 2021
Spec Call Notes 17-Jun-21
Mike Jones
Tom Jones
Nat Sakimura
Tim Cappalli
Kristina Yasuda
Anthony Nadalin
Joseph Heenan
Tom Jones
Mark Haine
Adam Lemmon
John Bradley
Events
Identiverse
Joseph is doing a talk on best practices for OAuth 2.0 and OpenID Connect mobile applications
Kristina is doing a SIOP panel with Nat and Kim and Tobias
Vittorio is doing a presentation on Browser Interactions
https://identiverse.com/idv2021/session/SES17LPY80SAWHL8K/ - "Identity and Web Browsers: Next-Generation API"
George is doing a presentation on Dynamic Client Registration at scale
Nat is doing the presentation Seven Principles of Digital Being
Applied Cryptography and Network Security Conference
Nat will be doing a talk on cryptographic security
https://identiverse.com/idv2021/session/SEST6B73DDZG8MW3P/
DHS Response
The response deadline was extended into July
We will set a deadline for comments by the end of June
We are answering only the questions in the RFI that are pertinent to OpenID
Kristina will make sure that the question being answered is clearly identified
Liaisons
DIF
The Wallet Security WG charter has been approved
Use of SIOP is in scope
Apparently the German government is interested in secure wallet specifications
Nat said that if key management or bearer tokens are involved, the wallet needs to be secure
Tom said that Kantara is also doing work on secure wallets
Tom said that wallets may sign proof of proof of presence of human beings
John said that wallets singing things for themselves is essentially meaningless
You need a higher-level statement of trust from the operating system, etc.
Kristina said that key management and signing by the wallet is in scope
Backup and recovery is in scope
Nat said that remote attestation can be used to identify a true wallet
John said that there can be attestations that you're talking to the right wallet binary
John said that there might also be attestations for particular keys
For instance, Android attestations, SafetyNet, iOS is App Attest, etc.
eKYC-IDA
There's a proposal for new EIDAS specifications
Mark Haine said that EIDAS services have been successful but EIDs were a failure
There's a proposal to make EID certification based - like EIDAS services were
Stephane Mouy gave a presentation on the new EIDAS proposals
Federation Specification
The current draft is https://openid.net/specs/openid-connect-federation-1_0-16.html
Torsten submitted a review
We're hoping for a few more internal reviews before starting the Implementer's Draft review
Certification Update
Joseph said there isn't much to report on the Connect side
The extra tests for additional assertion audiences aren't in place yet
Brazil has provided directed funding to develop tests for the Brazil FAPI 1.0 profile
There are also FAPI-CIBA tests for Brazil
The FAPI-CIBA RP tests are entirely new work
We're expecting ~40 certifications next month
They're going into production with the 40 banks next month
Open Pull Requests
https://bitbucket.org/openid/connect/pull-requests/
PR #22 on Verifiable Presentations
To be discussed on the next SIOP special call
Open Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open
#1227: Core 5.5 - Claims parameter requirements
Mark and Tony talked about this
Mark said that it's unclear whether implementations can support "id_token" but not "userinfo" or vice versa
Mike agreed to review the existing text from that perspective
This isn't being tested in the Certification tests
Mark said that this came up in a UK Open Banking context
They're using the ID Token as a detached signature mechanism
They don't want to put PII in the ID Token
They want the use of the UserInfo Endpoint rather than the ID Token in this case
Mike said that RPs always have to be prepared for requested claims not to be provided and for unanticipated claims to be included
Which claims are returned and where they are returned is already at the discretion of the OP
Mark said that there's the possibility of adding additional discovery elements specifying additional behaviors
#968: inconsistent treatment of id_token_hint
Mike will investigate whether the existing errata edits have already addressed this issue
#976: Unregistered openid2_realm and openid2_id
Mike will send a note to IANA
#978: URL for errata
Mike will add a comment to the issue about how we're already addressing this
Next Call
The next regular Connect call will be on Monday, June 21, 2021 at 4pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210618/53613ab7/attachment.html>
More information about the Openid-specs-ab
mailing list