[Openid-specs-ab] SIOP call notes (2021-Nov-17)

Kristina Yasuda Kristina.Yasuda at microsoft.com
Thu Nov 25 08:58:47 UTC 2021 

Daniel Fett
Andrew Hughes
George Fletcher
Jo Vercammen
David Waite
Joseph Heenan
David Chadwick
Stephane Durand
Tom Jones
John Bradley
Anthony Nadalin
Bjorn Hjelm
Kristina Yasuda


- IPR reminder/recording

- Introductions/re-introductions

  *   Jo moved to a Chief Innovation Officer role in Meeco :)

- Agenda bashing/adoption

- Events/External orgs

  *   David Chadwick raised some concerns regarding vc-data-model v1.1 revision
     *   people are encouraged to review issues and PRs https://github.com/w3c/vc-data-model/issues
  *   Everyone is invited to the OAuth Security Workshop (it's free!!)
     *   https://barcamps.eu/osw2021/
     *   "RISK MITIGATION FOR CROSS DEVICE FLOWS" session covers cross-device SIOP conversations too

- PRs https://bitbucket.org/openid/connect/pull-requests/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fpull-requests%2F&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7Cc25cb6e6379d4902265408d99fa5aa70%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637716356217740950%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Z5lqVpVObmvm4JvGjplzu2DiT4np%2B1h2M2YCMoXJ1aQ%3D&reserved=0>

  *   Discuss (max 15min each)
     *   PR#70 simplifying did_methods_supported metadata
        *   we discussed that a dynamic deny list should not be introduced since the new DID methods are rapidly emerging and if you did not introduce support for a new DID method and did not put it inside the metadata and RP uses it, it will be an error. it would be simpler to explicitly specify only those DID methods you support.
     *   PR#68 SIOP v2 revision
        *   Stephane reviewed the PR and suggested to move non-normative sections describing known browser behavior to the `Implementation Considerations` section. WG agreed.
        *   WG agreed to add a text to clarify that same-device SIOP can be used for authentication while cross-device SIOP should not be (PR #68).
           *   in same-device, if the bad RP can start the flow, and SIOP may not be able to verify the origin of the request, but the SIOP controls where the redirect goes, so the response will not go back to the bad RP.
           *   in same-device, if the good RP starts the flow and some one tries to MITM, RP will not accept the response because it is supposed to check if the response is coming back from the same channel the request was sent to (same-device SIOP responses are response_mode=form_post and go through the browser).
     *   PR#50 response-as-push
        *   we discussed that because PARM can be used with both same-device and cross-device SIOP, the mechanism to indicate support (or lack of it) of PARM by RP has to work with both flows, which means it cannot be another response_mode.
        *   RP not including parm_supported registration metadata is potentially enough to tell SIOP NOT to use PARM and if parm_supported is included, the final decision to use PARM or not will still be up to SIOP
        *   https://bitbucket.org/openid/connect/pull-requests/50#comment-261976925
        *

  *   Awaits changes from the authors
     *   PR #45 additional OIDC4VP security considerations  (Torsten)
     *   PR #57 encrypted id_token_hint (DW)
     *   PR #55 reference to DCR (DW)

- Issues https://bitbucket.org/openid/connect/issues?status=new&status=open&component=SIOP&component=Verifiable%20Presentation<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fissues%3Fstatus%3Dnew%26status%3Dopen%26component%3DSIOP%26component%3DVerifiable%2520Presentation&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7Cc25cb6e6379d4902265408d99fa5aa70%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637716356217760961%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2BUjd1xBOM5qxPawjodzfkcQu3ercnM9DJSWLmHlsoVQ%3D&reserved=0>

  *   #1241 - Resolved
  *   #1263 - Resolved
  *   #1259 - Resolved
  *   #1261
     *   Can be resolved once JWK Thumbprint URI is registered, assigned to Mike
  *   #1208 - Resolved
  *   #1291
     *   agreed to close when PR #68 gets merged
  *   #1292
     *   DW to write up a concrete text for a "subject resolving identifier" that is more generic than DIDs.
     *   Kristina said we should not redefine DID resolution.
  *   #1353/#1254
     *   We discussed comments made on the PR and agreed to continue the discussion

- We agreed to host a SIOP call next week for the European colleagues despite it being Thanksgiving in the US.


Best,

Kristina



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20211125/9efe2a3d/attachment.html>

More information about the Openid-specs-ab mailing list