[Openid-specs-ab] Minutes of SIOP meeting 11 Aug 22

[David Chadwick]

An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220811/3332612f/attachment.html>
-------------- next part --------------
Minutes of SIOP call.
Attendees
Kristina Yasuda
Mike Jones (Chair)
David Chadwick (Minutes)
Joseph Heenan
Rifaat Shekh-Yusef
Giuseppe De Marco
Mike Varley
Vladimir Dzhuvinov
Filip Skokan
Brian Campbell
John Bradley
George Fletcher

Agenda
i) There are some new federation issues to discuss
ii) Conference news 
JWK Thumbprint RFC 9278 has been published
Avast and Norton Lifelock are going to merge
Rifaat asked if anyone knows of implementations of DPoP.
Giuseppe knows of one and will send this to the list
SD-JWT adoption call ends tomorrow and it will be adopted.

Issues
------
#1549 - RP-Initiated Logout
Vladimir introduced this.
Mike said that logout requests are intended to be idempotent. So its not an error requesting a logout when the user is already logged out. But Mike said the text should be clarified to say whether the OP can do a post-logout re-directs. The OP should notify all the RPs once the user is logged out.
Filip said if the OP already has logged out the user, but the RP has not, then the user should not be notified about this. Furthermore the OP cannot redirect the user if the OP no longer has a record of the RP.
Mike said this clarifying text will not be a normative change, and he will write the PR for this.

Certification
Filip asked Joseph if there were any conformance issues still to be addressed.
#1546 unsigned id_tokens. Integrity of token is already provided by TLS so no need to additionally sign the token. So this is a conformant implementation. However Joseph said that we don't want to have a conformance test for no algorithm so that implementations can pass certification by using no algorithm. Mike said these should be conformant because the specification says they can use no algorithm. However now we have a server that does not support any algorithm and this is failing the conformance test suite because there is no test for no algorithm. Mike has added a note that the certification test suite should support this.
David asked if we could have different classes of certification so that those that support no algorithm can be identified as such. John said a new conformance profile would need to be created for this. Filip said that there is now an interoperability problem between RPs that do not support no algorithm and a server that only supports no algorithm as both are certified to the same profile. John suggested the profile should mandate all implementations should support RS256 at least in order to facilitate interoperability. Mike said we could decide to require more in the conformance profile for servers than in the core specification. (RPs could still only support no algorithm and be conformant.) John will add a note to the issue.

No Federation PRs currently outstanding.
Federation Issues
#1588 Rename automatic registration. Editors do not agree with this renaming. Clients are being registered because they are sending the clientID in the request. Kristina asked if clarification text can be added about this clientID as it is different to the conventional registration use.