[Openid-specs-ab] SIOP Special Topic Call Notes 11-Aug-22
Mike Jones
Michael.Jones at microsoft.com
Thu Aug 11 17:17:43 UTC 2022
SIOP Special Topic Call Notes 11-Aug-22
Kristina Yasuda
Mike Jones
Joseph Heenan
Giuseppe De Marco
David Chadwick
Brian Campbell
John Bradley
Geroge Fletcher
David Waite (DW)
Jeremie Miller
Pull Requests
https://bitbucket.org/openid/connect/pull-requests/
PR #265: static configuration data in openid4vp and siopv2
Kristina said that this needs to be reworked to incorporate feedback
David Chadwick said that this would be the minimum MTI subset
Kristina said that it's not MTI at present
David Chadwick said that this would the default
Mike told people about the MTI requirements in the Connect Core spec
https://openid.net/specs/openid-connect-core-1_0.html#ImplementationConsiderations
George said that we should either define a minimum or define nothing at all
Kristina said that defining MTI functionality could cause push-back in the marketplace
George said that if it's not MTI, maybe we should leave it out for now
Mike suggested that we could add this as a non-normative example in an appendix
David Chadwick said that he wanted this to parallel the same kind of functionality in the SIOP spec
Kristina is supportive of putting this functionality in an appendix
David Chadwick said that we should do the same for SIOP
This is related to issue #1573: Static metadata for the authz server
PR #261: added implementation considerations on credential refresh
This was updated by Jeremie
Additional reviews are requested
We discussed terminology: refresh versus update
Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open
#1590: `vp_formats_supported` server metadata in OpenID4VP underspecified
Kristina asked whether people agree with the proposed syntax
David Chadwick was in support
DW said that he doubts that people actually want this number of choices
Kristina said that the algorithms for different formats might very well be different
Mike said that syntactically, we tend to use metadata names like "id_token_signing_alg_values_supported" rather than "alg"
This is from https://openid.net/specs/openid-connect-discovery-1_0.html
#1577: Cryptographic proof of possession nonce management
Kristina said that the proof is very similar to a DPoP proof
She asked if we should mandate including "jti" like DPoP does
George said that the nonce gives you freshness
Whereas the access token hash proves that it was bound to a particular token
We discussed similarities to DPoP
We discussed threat models, including proof pre-generation
In this case, person who is the legitimate user of a legitimate client is the attacker
Brian said that the "iat" format in the PR is wrong and to remove "typ":"JWT"
Mike suggested that perhaps people with DPoP expertise compare DPoP to this feature
to understand what's parallel and what's different
Next Call
The next call will be Monday, August 14, 2022 at 4pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220811/8861d446/attachment.html>
More information about the Openid-specs-ab
mailing list