[Openid-specs-ab] OpenID Connect Call Notes by Tobias Looker for the 18-Apr-22 Call

Mike Jones Michael.Jones at microsoft.com
Tue Apr 19 19:00:58 UTC 2022 

# Attendees



Mike Jones

Karthik

Kristina

Vittorio

Nat Sakimura

John Bradley

Tom Jones

Tobias Looker



# Agenda



- DIF dinner pre-iiw

- Logout issues

- SIOP Whitepaper

- SIOP PR's



# DIF dinner pre-iiw



Kristina: DIF (Decentralised Identity Foundation) has kindly invited OIDF members to a dinner on Monday 25th from 6pm @ Craft House Sunnyvale. It's a great opportunity to catch up and discuss a lot of current topics and work items prior to the IIW kick off on Tuesday. DIF and OIDF has a liaison relationship and we have made some amazing progress together on SIOP :D



The venue is :

Craft House Sunnyvale

295 E. Washington Avenue, Sunnyvale



# Logout issues



Discussed the following issues



https://bitbucket.org/openid/connect/issues?status=new&status=open&component=Logout



Mike: I have raised PR's that I believe address solved all of these, however I'm still seeking reviews and approvals, unless people would like to discuss each individually, I would propose we merge them as they are all straight forward.



Kristina: Can we come back to these at the end of the call to discuss some more?



Mike: Yes



Mike: I will note that once we have addressed these PRs and issues we will have no open issues to address and therefore can transition this spec to final status of standardisation. I would propose we have a customary period of one week review prior to this final change



Vittorio: Although I understand there is a good feeling of closure with regards to this work it feels a bit empty to

ratify it. In particular I was unable to find evidence of the session management one being used in production, therefore I wonder if there is any chance we can try again to find again some?



Nat: I understand front channel logout is used, however session management is not?



Mike: *Listed some of the implementations certified that support it and including Microsoft AAD, 6-7 OPs and 2 RPs*



Vittorio: Thats a good point, if we have implementations then that suffices to me as a reason to finish the standardisation



Mike: Do people agree we should have a 1 week call for feedback on closing this out? Starting from today? I'm willing to make this two weeks



Nat: Yes I believe it should be two



Mike: Ok let's work with a 2 week window



# Discussed the whitepaper



https://docs.google.com/document/d/1H556GIM_xD1yKl7rw1seq4bu83movFCkU8fQ7T8b1dI/edit



Kristina: *Introduced the whitepaper and its purpose to clarify some mis-understandings around some of the work we are doing with SIOP* "I would encourage everyone to read through"



Tony: Is this supposed to cover the wallet cases?



Kristina: what do you mean?



Tony: Will it cover its usage as wallets?



Kristina: How are you defining the term wallet?



Tony: I think this terminology needs to be clarified



Kristina: What I would like to discuss is terminology in this group



Kristina: SSI and Decentralized Identity are loaded terms, others are suggesting self-managed or user-centric identity, can we get a common term agreed here



Nat: Traditional OpenID Connect is already user-centric, I wanted to ask Tony about his objections to the usage of the term wallet



Mike: responding to Nat's comment about OpenID Connect, there are certainly aspects of the core protocol however there

are also aspects that do not, such as the fact that most identities are owned by their provider, one of the things that

Kristina asked me to do is to help provide definitions in the terminology section. Decentralized I think is the wrong term,

the term user-managed identity doesn't have the same resonance. User-centric feels to fit more with the industry.



Nat: I'm fine with replacing decentralized, I think it is important to separate the deployment from what the protocol allows. I want to avoid OpenID Connect core being positioned as not being user centric.



Mike: I think that is fine and we should also seek to clarify what patterns are user centric after supplying a definition.



Tony: User-centric is a name that has been used and abused over the years, I do believe using the term "user-centric" identity may be used as an argument against the technology.



Kristina: is there an alternative Tony you would suggest?



Vittorio: On the user-centric, I'm a fan although I agree it is old fashion. Although I agree with what Nat says about how the core protocol is user-centric. In general I think we might get pushed back but we can manage it. I think the paper is a great thing that is sorely needed but needs some iterations. One is the definitions we are making and the paper is more focused on the how rather than the problem space. The current paper falls into one trap that most content falls into, describes this thing but fails to describe a relationship with the old/existing stuff. For example provider tracking

which is regarded as bad in some cases is also an important feature in some situations such as federations therefore I think the paper should acknowledge that.



Kristina: Thanks Vittorio if you could make suggested changes to the draft I think that would be great



Tony: I think the term wallet should be used more



Mike: I'm going to step back and say I think this whitepaper is a huge opportunity for us, if we do a good job this will help to set the thought leadership and help to shape the ecosystem around verifiable credentials SSI and wallets



DW: *provided some great commentary around refining what the purpose of the terminology we use and who it ultimately serves*



Mike: Reading some of the comments in the chat, user-management has a negative perception, many users don't want to "manage"

anything related to identity.



Kristina: What I'm hearing is we should accept user-centric for now and add a clarifying paragraph for how it relates to other terms



John Bradley: expanding on mikes point, user-centric still feels to imply to me "management" which users don't want.



Mike: I agree, however I think user-centric identity is the best we have at the moment.



Mike: wearing my chair hat, Kristina has requested half of the up and coming Atlantic connect call to SIOP issues and PRs so we can get these in before IIW and I support this.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220419/41f50d21/attachment.html>

More information about the Openid-specs-ab mailing list