[Openid-specs-ab] SIOP Special Call Notes 3-Feb-22
Mike Jones
Michael.Jones at microsoft.com
Thu Feb 3 20:16:09 UTC 2022
SIOP Special Call Notes 3-Feb-22
Mike Jones
Petteri Stenius
Daniel Fett
Kristina Yasuda
Torsten Lodderstedt
Jo Vercammen
George Fletcher
Bjorn Hjelm
David Chadwick
Juan Caballero
Stephane Durand
Outstanding Implementer's Draft Approval Votes
https://openid.net/foundation/members/polls/261 - prompt=create
https://openid.net/foundation/members/polls/266 - SIOPv2 and OIDC4VP
You can join to vote at https://openid.net/foundation/members/registration if not presently a member.
We need another 22 votes to reach quorum. Please participate!
Open Pull Requests
https://bitbucket.org/openid/connect/pull-requests/
PR #119: fixes #1425 - adds security consideration for confidentiality response (same-device)
We agreed to merge this
Christina Bauer is also doing more security analysis of #1425
PR #110: implementation consideration for cross device flow
We discussed the wording "typically from the Internet", which raises unanswered questions
PR #101: Fetching presentation definitions from a remote repository
We think this can be merged after resolving merge conflicts
PR #120: Issuer Handling SIOP
This new PR addresses issue #1400
Torsten said that this simplified the specification
We discussed Vittorio's comment on #1400
We agreed to talk about this in the regular working group call on 10-Feb-22
Because this is an architectural addition that could also be used by existing OPs
George used the analogy of having both personal and business cards in his wallet
He asked about the privacy implications of having the issuer identify the wallet
Torsten points out that then there wouldn't be a way for an RP to know whether you're talking to a SIOP or not
He asked for input on that topic
We discussed filing a separate issue on this topic
Torsen said that he'd like SIOPs to be both third party OPs and self-hosted OPs
Open Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open
#1417: Defining SIOP and the scope of its specification
Stephane requested that we clearly define what we mean by SIOP in one place
SIOPs issue self-signed ID Tokens
Whether it's self-hosted is a separate issue
Mike said that we should discuss the implications of whether the OP is self-hosted or not
This is related to both #1400 and #1399 (whether we support additional response types)
Torsten suggested we address this after the discussions on #1400, etc. have played out
#1426: Clarification of "sub" value
We should state that the "sub" is always about the End-User
#1427: Credential issuance with PKCE or without?
Mike said that it's a longer discussion on the pros and cons of using PKCE
Note that Connect Core flows don't use PKCE and requiring it would be a breaking change
OAuth 2.1 explicitly does not require PKCE when OpenID Connect is used
Torsten said that FAPI requires PKCE
#1429: Replace JWK Thumbprint URI with JWK URI
We ran out of time to discuss this issue
People are requested to read it and respond with issue comments
Next Call
The next Connect call will be Monday, February 7, 2022 at 3pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220203/ee272d70/attachment.html>
More information about the Openid-specs-ab
mailing list