[Openid-specs-ab] SIOP Special Call Notes 10-Feb-22
Mike Jones
Michael.Jones at microsoft.com
Thu Feb 10 21:39:34 UTC 2022
SIOP Special Call Notes 10-Feb-22
Mike Jones
Kristina Yasuda
Torsten Lodderstedt
Joseph Heenan
Petteri Stenius
Bjorn Hjelm
David Chadwick
Brian Campbell
Kenichi Nakamura
Daniel Fett
Jo Vercammen
David Waite
Approved Implementer's Drafts
The two approved SIOP-related Implementer's Drafts are:
https://openid.net/specs/openid-connect-self-issued-v2-1_0-ID1.html
https://openid.net/specs/openid-connect-4-verifiable-presentations-1_0-ID1.html
Open Pull Requests
https://bitbucket.org/openid/connect/pull-requests/
PR #120: Issuer Handling SIOP
This was also discussed on the preceding Connect call
Vittorio had asked on a previous call why use cases where "sub" and "iss" are different aren't interesting
Torsten is interest in having an attestation about the software producing the ID Token
This would be different issue
The IETF RATS and EAT working groups are doing attestation-related work
Torsten said that having "iss" == "sub" would enable an ID Token to be a Verifiable Presentation
George said that in the third-party case, the "iss" is used to validate the metadata and keys of the issuer
George said that we should have a non-normative note clarifying the motivations
Mike observed that if "iss" doesn't point to .well-known/openid-configuration, we lose the ability to retrieve metadata from the issuer
Torsten said that in SIOP v1, we already couldn't do this
Mike agreed to file a comment on issue #1400 about this
PR #101: Fetching presentation definitions from a remote repository
Torsten filed a comment on the organization of the PR
David agreed to reorder the text as suggested by Torsten
Torsten also filed a comment on the metadata values
David disagreed with him
We agreed that request by value should be the default
People are requested to comment in the PR on the metadata syntax
PR #124: [oidc4vci] clarify sub value in the ID Token Issue #1426
We discussed this with issue #1426, as recorded below
PR #107: Support for federations using the termsOfUse property
David asked about using "anyof"
Torsten said that there are numerous issues with parsing and the specification of it
Kristina said that PE v2 is still being actively worked on
Torsten said that PE doesn't mention "anyof"
Torsten suggested simplifying the example to have a single value
Torsten said that PE doesn't support what David wants and that would have to be addressed in the PE spec
Kristina asked for David to provide an assessment of how stable PE v2 is
David agreed that v1 is more stable
He said that v2 will be vastly superior, as it defines an MTI core and optional features
Torsten said that v2 format functionality is better and needed
Torsten doesn't want to have to define an OpenID profile of PE v1
Open Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open
#1426: Clarification of "sub" value
Torsten said that everything about "sub" in OpenID Connect Core still applies
George is worried about ephemeral identifiers
Torsten said that this the "sub" in the issuance draft - not the "sub" in the SIOP ID Token
Implementers want to know what to put in the "sub" value
Daniel said that whatever is in the "sub" should be about the End-User
Kristina suggested clarifying that everything about the Connect ID Token applies
She also said that there may be cases in which an ID Token isn't needed
Daniel said that the ID Token is needed to contain the "nonce" in the reply
Torsten said that the alternative is to turn this into a pure OAuth flow
Kristina will update the PR
She will file a separate issue about whether to turn this into a pure OAuth flow
#1429: Replace JWK Thumbprint URI with JWK URI
David prefers to send the entire key as a URI
He said that RPs that want a stable identifier could create one by applying the JWK Thumbprint rules
Mike said that having the "sub" be a stable identifier of limited size is important
Mike said that having RPs compute the stable identifier from the "sub" would be an unnecessary departure from Connect Core semantics
Next Call
The next Connect call will be on Monday, February 14, 2022 at 3pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220210/bd27f09e/attachment.html>
More information about the Openid-specs-ab
mailing list