[Openid-specs-ab] Spec Call Notes 31-Jan-22

Mike Jones Michael.Jones at microsoft.com
Tue Feb 1 02:00:34 UTC 2022 

Spec Call Notes 31-Jan-22

Mike Jones
Vittorio Bertocci
Tony Nadalin
Nat Sakimura
John Bradley
Brian Campbell
David Waite
Edmund Jay

Outstanding Implementer's Draft Approval Votes
     https://openid.net/foundation/members/polls/261 - prompt=create
     https://openid.net/foundation/members/polls/266 - SIOPv2 and OIDC4VP
              Please participate!

Updated SIOPv2 and OIDC4VP drafts were published addressing editorial issues
              See the note at the end of https://openid.net/2021/12/17/first-public-review-period-for-openid-connect-siopv2-and-oidc4vp-specifications-started/

These in-person and hybrid 2022 identity events are upcoming:
              IETF 113 in Vienna, March 19-25
                            https://www.ietf.org/how/meetings/113/
              OpenID Workshop and IIW in Mountain View, April 25-28
                            https://internetidentityworkshop.com/
              OAuth Security Workshop in Trondheim, Norway, May 4-6
                           https://oauth.secworkshop.events/
              European Identity and Cloud Conference (EIC) in Berlin, May 10-13
                       https://www.kuppingercole.com/events/eic2022
                           Submissions are open until February 28th
              FIDO Plenary in Munich, May 24-26
              RSA Conference in San Francisco, June 6-9
                           https://www.rsaconference.com/usa
              Identiverse in Denver, June 21-24
                           https://identiverse.com/

Open PRs
              https://bitbucket.org/openid/connect/pull-requests/
              PR #119: adds security consideration for confidentiality response (same-device)
                           Nat asked that a corresponding issue be filed
                           Nat agreed to review it
              Edmund has PRs #59, #60, #63, and #74
              PR #60: fixes #1311 - Require refresh tokens
                           Edmund updated this per working group feedback
                           After re-review, this is probably ready to merge
              PR #63: fixes #1284 - Require Sender Constrained Tokens
                           Edmund updated this per working group feedback
                           After re-review, this is probably ready to merge
              PR #59: fixes #1225 - clarifies discovery metadata for IA
                           This hasn't been updated recently
                           Edmund asked whether we want to have an array of arrays of claim sets
                           Mike asked whether having a flat array of the union of possible claims would be adequate
                           Nat suggested that a separate issue be filed
                                         Edmund agreed to do this
              PR #74: adds parameter for requesting credential type format - #1276
                           Kristina and Torsten had suggested reusing mechanisms being defined in other Connect specs

Open Issues
              https://bitbucket.org/openid/connect/issues?status=new&status=open
              #1415: re-using ID Token as a source of third party attested user-claims
                           Noone seemed to think that this is a good idea
                           As Nat said on the call, this violates the audience validation
                                         Unless perhaps if there were multiple audiences
                           Vittorio said that asking for an access token with the correct audience would be preferable
                                         He said that such an access token might be a lot like an ID Token but would have differences
                           The issue asks for no specification changes
                           Given there is no support for the idea, we proposed to close the issue on that basis in a week
              #1411: specify how ekyc-ida syntax can be used with Verifiable Credentials
                           The next step seems to be to create a concrete proposal
              #1402: Cross device flow w/ and w/o authorization_endpoint
                           People are asked to review
              #1401: Advanced cross device flow for SIOP
                           Torsten agreed to create a PR
              #1400: Issuer Handling in SIOP
                           Torsten proposes indicating that the token is self-issued by having "iss" be equal to "sub"
                                         This is similar to what is done in self-signed certificates
                           Vittorio asked whether we want to rule out scenarios for which the values would be different
                                         In the chat, he wrote "it sounds like forcing those two values to be the same would constrain the range of possible scenarios, hence it would be interesting if we could list some of the combinations that would no longer be possible and have one-liners explaining why they aren't interesting"
                           John said that Stephane Durand raised similar issues in the comments

Next Call
              The next Connect call will be the SIOP Special Topic call on Thursday, February 3rd, 2022 at 7am Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220201/4596cf5d/attachment.html>

More information about the Openid-specs-ab mailing list