[Openid-specs-ab] SIOP call notes (2022-Apr-7) - Atlantic call @ 8AM PST

Kristina Yasuda Kristina.Yasuda at microsoft.com
Fri Apr 8 03:24:42 UTC 2022 

Nat Sakimura
Peteri Stenius
Joseph Heenan
David Chadwick
Joshn Bradley
Jeremie Miller
Jo Vercammen
George Fletcher
Torsten Lodderstedt
David Waite
Kristina Yasuda

Apologies that the URL in openid.net calendar was incorrect - that should be fixed now (Thank you, John!).


- Events/External orgs (borrowed from MODERNA WG's notes, since it had a great summary)
o OpenID Foundation Workshop Spring, Mountain View, CA, Apr. 25, 2022 (in person and remote)
o IIW Spring, Mountain View, CA, Apr. 26-28, 2022
o OAuth Security Workshop<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Foauth.secworkshop.events%2F&data=05%7C01%7Ckristina.yasuda%40microsoft.com%7C4ee20d726247447b7cfb08da1191c070%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637841616144031171%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=miJtjuTN7RdpP6E6zRDnN97608VCgqdzgrSRSPrbxss%3D&reserved=0>, Trondheim, Norway, May 4-6, 2022
o European Identity and Cloud Conference (EIC)<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.kuppingercole.com%2Fevents%2Feic2022&data=05%7C01%7Ckristina.yasuda%40microsoft.com%7C4ee20d726247447b7cfb08da1191c070%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637841616144031171%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=QxU3VplOV6as%2BejGZ7AEg3Igv0Y0yb41drtOT8vP%2BKo%3D&reserved=0>, Berlin, Germany, May 10-13, 2022
o RSA<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.rsaconference.com%2Fusa&data=05%7C01%7Ckristina.yasuda%40microsoft.com%7C4ee20d726247447b7cfb08da1191c070%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637841616144031171%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=%2FUNaWN9240530f4CpKZDG7KN6TIR9uloDHr2%2BZ36Kuo%3D&reserved=0>, San Francisco, CA, Jun. 6-9, 2022
o Identiverse<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fidentiverse.com%2F&data=05%7C01%7Ckristina.yasuda%40microsoft.com%7C4ee20d726247447b7cfb08da1191c070%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637841616144081160%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=GNs%2BlfjT6Nk8lDke4beUm%2B%2FCx2wQiOdHce%2FKzGlcJBA%3D&reserved=0>, Denver, CO, Jun. 20-23, 2022
- Strategic whitepaper update

  *   Jo gave an update that the small group that has been working on the strategic whitepaper positioning OIDC4SSI work in the broader SSI ecosystem is planning to present the draft of the whitepaper to the group at the next SIOP call
  *   The plan is to present and discuss the whitepaper at the IIW and then EIC, after reflecting the WG comments

- PRs https://bitbucket.org/openid/connect/pull-requests/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fpull-requests%2F&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7C076de138a9434313d7df08da07b1c590%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637830758257768797%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=NvwjmfI%2Fu8jgnKi%2FREuHrJnm0RjZmYT6F5I1XjaCxiY%3D&reserved=0>

  *   Discuss - please review (discussion max 15min each)

     *   PR #138 - oidc4vci: pre-authorized code. Resolves issue 1465 and 1450

        *   Agreed that the Security Considerations have been improved.
        *   Merged.
        *   Jeremy commented that this is a significant improvement over a nonce endpoint flow

     *   PR #142 oidc4vp: example with anoncreds

        *   Merged
        *   The purpose is to illustrate that the specification works with any credential format; the specification itself does not recommend any format over the other
        *   Kept Hyperledger Indy SDK as a reference for AnonCreds, with potentially updating it in the future if it becomes a standard in an SDO

     *   PR #144 Update SIOPv2 definition

        *   Merged

     *   PR# 147 - SIOPv2 code flow. Issue 1399

        *   Enables SIOP to use any OIDC flow such as code flow
        *   Overall consensus on the direction of the PR
        *   Jeremie suggested adding a use-case that clarifies when SIOP is beneficial to use code flow and when implicit flow suits better

        *   John suggested eGovernment use-cases with cloud-based wallets would benefit from SIOP using code flow

     *   PR#148 - metadata indicating support for SIOPv2. Issue 1430/1431

        *   PR introduces two new OP metadata and Authz request parameter to clarify support for or request a certain ID Token type
        *   Agreed to rename 3rd-party-issued to OP-issued
        *   Agreed to make op-issued ID Token as a default, with RP asking explicitly asking which id token type it wants
        *   Agreed to make authz parameter id_token_type an ordered array of space delimited strings (preference from left to right) (to be able to add other ID token types if needed in the future...)
        *   It was mentioned that vast majority of RPs are very likely to be supporting both self-issued and op-issued ID Tokens.

     *   PR#143: siopv2: usage of encrypted id_token_hint

        *   Agreed to merge once DW incorporates suggestions in the comments

     *   PR #145: oidc4vci: Revises the approach to credential metadata publishing. Issue 1466

        *   Ran out of time to discuss
- Issues https://bitbucket.org/openid/connect/issues?status=new&status=open&component=SIOP&component=Verifiable%20Presentation&component=Credential%20Issuance<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fissues%3Fstatus%3Dnew%26status%3Dopen%26component%3DSIOP%26component%3DVerifiable%2520Presentation%26component%3DCredential%2520Issuance&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7C076de138a9434313d7df08da07b1c590%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637830758257768797%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=ccce9PXmdGPLv%2FssVmoUlIkXN%2FudMScnnEVJSuAegHQ%3D&reserved=0>

  *   (Max 15min per issue)

  *   #1473: RP as synonym for wallet might be misleading

     *   Ran out of time
- As discussed in the previous SIOP call, editors triaged the issues to identify potential breaking changes in SIOPv2 and OIDC4VP specifications. This is important to be able to refer to these standards in ISO documents.

  *   Breaking

     *   1470: [oidc4vp] response_type = vp_token only in OIDC4VP

        *   [siopv2] guidance around which claim the RP uses to re-authenticate the user, if it does (many issues boil down to this)

     *   1399: [siopv2] add text to SIOP that it can be used with traditional Ops
     *   1430/1431: [siopv2] adding RP/SIOP metadata to clarify it is SIOP
     *   1402: [siopv2] Cross device flow w/ and w/o authorization_endpoint

  *   Non-breaking

     *   1412: [siopv2] (optional) attestation claim to the ID Token - would not be breaking unless optional
     *   1401: [siopv2] Advanced/Better discovery/registration - might be important in light of solving a NASCAR problem
     *   1448: [siopv2] def of cross-device
     *   1389: [oidc4vp] unify vp_formats




Best,

Kristina




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220408/6048bfca/attachment.html>

More information about the Openid-specs-ab mailing list