[Openid-specs-ab] Spec Call Notes 10-May-21
Mike Jones
Michael.Jones at microsoft.com
Tue May 11 00:44:10 UTC 2021
Spec Call Notes 10-May-21
Mike Jones
Pamela Dingle
Nat Sakimura
Tony Nadalin
Tobias Looker
Adam Lemmon
David Waite (DW)
Vittorio Bertocci
Jeremie Miller
Kristina Yasuda
Tim Cappalli
Tom Jones
Edmund Jay
Brian Campbell
OpenID Connect for W3C Verifiable Credential Objects
http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210505/a198527a/attachment-0001.pdf
The SIOP special call unanimously recommended adoption as a working group document
There was a discussion of the call for adoption last week
https://bitbucket.org/openid/connect/wiki/Connect_Meeting_Notes_2021-05-06_Atlantic
Nat made a call for adoption
See https://bitbucket.org/openid/connect/issues/1229/adoption-of-the-openid-connect-for-w3c
There's been discussion on the list but no comments in the issue yet
There's been a terminology discussion on the terms "claim" and "credential"
Use of the term "credential" in the W3C spec conflicts with its use in Connect
Daniel Buchner filed a related issue requesting use of Presentation Exchange
https://bitbucket.org/openid/connect/issues/1230/adopt-presentation-exchange-as-an
Kristina said that there would need to be an OpenID Connect profile of it to use it interoperably
Kristina wrote a note explaining the relationships of the draft to other existing specifications
http://lists.openid.net/pipermail/openid-specs-ab/2021-May/008259.html
Nat also discussed the relationship to the Claims Aggregation draft
https://openid.net/specs/openid-connect-claims-aggregation-1_0.html
Tony doesn't like there potentially being multiple ways to do claims aggregation
Tobias share's Tony's concern
Tony would like to see unification with the Claims Aggregation draft
Jeremie talked about presenting proofs that you have a set of claims
He sees that as being different than Claims Aggregation
Tobias said that sometimes you need to request and obtain binding information for Verifiable Presentations
Kristina said that SIOP doesn't have endpoints to enable negotiation, so an extension would be needed
Mike spoke in favor of adoption
He said that there's consensus for defining mechanisms for requesting and receiving Verifiable Presentations
This draft is the result of a few months of discussion on doing this
He said that this seems like a reasonable starting point
He also expressed a preference for doing the work in the working group, with IPR protections
Nat said that this would be harmonized with the Claims Aggregation work
Nat said that we'd need to wait until next Thursday to formally adopt the draft
Tony asked whether we couldn't just not do this and use Presentation Exchange instead
Tom said that Presentation Exchange does define some protocol behaviors
Mike said that we should also be aligning with use of the existing "claims" request parameter
Such as how it's used by OpenID Connect for Identity Assurance
Kristina said that W3C Verifiable Credential Objects could add support for Presentation Exchange as an option
Kristina explained that the scope of this draft is greater than SIOP, since it could be used with third party OPs
Browser Interactions Call Report
Tim reported that some progress is slowly happening
Heather Flanagan's workshop should be scheduled soon but it isn't finalized yet
The target dates are May 25th and 26th
There was a discussion on possibly tagging cookies as being session cookies
There's a SAML logout use case being written
Vittorio reported that there's been discussions on lessons learned from the Mozilla Persona experience
He said that he doesn't see how browsers can expect the server-heavy flows to stop happening
He said that a possible principle is that the browser can't be in the middle of all identity interactions
OpenID Connect Federation
Roland Hedberg has made the changes requested and the implementers have signed off on them
Mike will review and publish a new draft
This will probably be the basis of the next Implementer's Draft vote
The new OIDF Executive Director Gail Hodges started on May 1st
https://openid.net/2021/04/28/welcoming-gail-hodges-as-our-new-executive-director/
OAuth Interim Call on HTTP Signing
Nat reported that Justin Richer gave a status report on the HTTP signing work
There was an agreement that new OAuth HTTP signing work would need a new call for adoption
This would be a profile of the signing work in the HTTP working group
https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-message-signatures
https://datatracker.ietf.org/meeting/interim-2021-oauth-10/materials/slides-interim-2021-oauth-10-sessa-http-message-signing-00
Tobias reported that the signed HTTP elements would be canonicalized before signing
DW reported that they are planning to reuse JOSE algorithms
They provide a key ID but not an algorithm
Open Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open
We ran out of time to get to this
Next Calls
The next regular Connect call is scheduled for Monday, May 17th at 4pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210511/f81088dd/attachment.html>
More information about the Openid-specs-ab
mailing list