[Openid-specs-ab] SIOP Special Topic Call Notes 21-Apr-22
Mike Jones
Michael.Jones at microsoft.com
Thu Apr 21 17:05:06 UTC 2022
SIOP Special Topic Call Notes 21-Apr-22
Mike Jones
Kristina Yasuda
Brian Campbell
Torsten Lodderstedt
Joseph Heenan
David Waite (DW)
Bjorn Hjelm
Mike Varley
John Bradley
David Chadwick
Vittorio Bertocci
Petteri Stenius
Jeremie Miller
Jo Vercammen
SIOP Whitepaper
The draft is available
https://docs.google.com/document/d/1H556GIM_xD1yKl7rw1seq4bu83movFCkU8fQ7T8b1dI/edit
Please continue adding comments to the draft and indicating whether you agree with others' comments
IIW
Kristina created a spreadsheet of proposed IIW Sessions
https://docs.google.com/spreadsheets/d/1-vrUqJNOQxW8LQi3trmY0FVerHjuAtBiEOKiZVgUDHE/edit#gid=0
Please contribute
Open Pull Requests
https://bitbucket.org/openid/connect/pull-requests/
PR #149: Credential Issuance based on OAuth
Torsten pointed out that this PR has no outstanding comments
We decided to merge this one
PR #147: SIOP v2 Code Flow
Torsten addressed Kristina's comments earlier today
We agreed to merge this one
PR #157: Building Trust between Wallet and Issuer
Torsten discussed the motivation for the PR
We discussed using x5c to represent an attestation chain
Mike is to provide feedback
Torsten described key attestation
Torsten asked if anyone was familiar with how Android key attestation works
John said that it is more complicated than SafetyNet
David Chadwick asked whether we're in danger of replicating the WebAuthn/FIDO2 attestation mechanisms
Torsten asserted that we want to use what's already in the field
John said that you need to include a challenge in a remote attestation, which FIDO does
John said that SafetyNet doesn't actually attest to the key
SafetyNet attests to operating system integrity and the hash of the public key of the developer making the request
He said that the history is for game development - giving assurance of the integrity of the phone, etc.
DW said that iOS AppAttest is similar
He wasn't sure whether that is the same as the Apple WebAuthn attestation
EIDAS certifications were brought up
John asked how attestations work in mDL
Kristina said that mDL doesn't trust the app to provide an attestation
John said that this assumes that you have the ability to run something in the trusted execution environment
Kristina said that there isn't necessarily a TEE
Kristina asked whether we want to add FIDO attestations to the PR
Torsten said that we need to support client attestation as well as key attestation
He wants to include Apple, Google, FIDO, and Qualified Electronic Signature attestations
Torsten wants verifiers to be able to verify membership in a Trust Framework
He also wants to support this in the VP spec
Torsten said that this is a very important piece of the overall trust model
John asked if it's self-issued, what does it really mean?
People are encouraged to review the PR
David Chadwick asked about the opportunity for things to be hacked if time has passed
John said that we need to separate out wallet integrity from key integrity
John said that he doesn't like making it the RP's responsibility to verify wallet integrity
Torsten agreed
Kristina said that this transcends the issuance spec - we want this for verification and SIOP too
PR #156: [OIDC4VP] and an example of presenting ISO/IEC 18013-5:2021 mDL
Kristina described the PR and its motivation
There are several approvers and no opponents
We agreed to merge this
PR #148: SIOP support metadata & Request SIOP
Kristina talked about impact of self-signing self-issued ID Tokens
Kristina pointed out that Mike doesn't like "op-issued"
Torsten said that Jeremie asked whether the same OP can support both self-signed and third-party signed ID Tokens
Torsten said that this decision affects the flexibility of deployments
Metadata can be used to distinguish between the cases
Torsten said that some of what we've done in the SIOP V2 spec could be considered as extensions to OpenID Connect itself
DW said that we need to keep the RPs' verification logic simple
DW said that metadata advertising what kinds of ID Token behaviors to expect would be good
Kristina wants to publish the three specs now that we've merged what we did today
Mike confirmed that we are publishing to openid.net/specs - not just openid.bitbucket.io
Torsten said that the issues are more general than the naming of parameters
Mike said that he hoped we could make progress on the parameter names
Mike said that "self-signed" and "non-self-signed" would be better than what's there now
Kristina suggested "self-signed" and "attester-signed"
There was substantial support for these identifiers
Kristina asked Torsten to add a note describing the larger discussion
PR #145: Revises the approach to credential metadata publishing
Drops the use of the DIF Credential Manifest in favor of something simpler
Clarifies that the spec can be used to issue more than just Verifiable Credentials
Kristina asked people to review
PR #148: SIOP support metadata & Request SIOP (again)
Torsten asked for review of the updates he just made
Kristina asked DW and Mike to review prior to publication
Open Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open
We didn't discuss open issues
Next Call
The next SIOP call will be on Thursday, April 28, 2022 at 7am Pacific Time (yes, during IIW week)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220421/5061894c/attachment.html>
More information about the Openid-specs-ab
mailing list