[Openid-specs-ab] Spec Call Notes 24-Feb-22
Mike Jones
Michael.Jones at microsoft.com
Thu Feb 24 21:37:37 UTC 2022
Spec Call Notes 24-Feb-22
Mike Jones
Joseph Heenan
David Chadwick
George Fletcher
Rifaat Shekh-Yusef
Tom Jones
Bjorn Hjelm
Kristina Yasuda
John Bradley
Identiverse
George's submission on prompt=create was accepted
https://openid.net/specs/openid-connect-prompt-create-1_0.html
He plans to talk about why it exists from a user experience perspective
Mike's and Pieter Kasselman's submission on OAuth DPoP was accepted
They will describe how DPoP has evolved to have mitigations to specific actual threats
Kristina and Torsten's OIDC4SSI submission was accepted
Kristina and Torsten will describe the specs and use cases
Joseph's "Top OAuth2 mistakes found in production mobile apps" was accepted
Joseph's "Protocol conformance testing driving interoperability and security" was accepted
It will be the first Identiverse presentation on OpenID Certification
IETF 113 in Vienna
Rifaat told us that the OAuth working group has two sessions
OSW
https://oauth.secworkshop.events/osw2022
Open for submissions until March 23rd
FIDO Authenticate
Open for submissions
EIC
Open for submissions until February 28th
David Chadwick has a presentation on "How to do SSI using existing infrastructure"
He also has a submission on "How to build trust..."
George has a submission on "mobile app impersonation" aka "will the real mobile app please stand up"
Open Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open
#1400: Issuer Handling in SIOP
Also see PR #120: Issuer Handling SIOP
John has mixed feelings but is not opposed to the change
Kristina said that this generalizes "iss" to no longer always be an https URI
Kristina said that we may want to separately convey trust in a wallet, perhaps through an attestation claim
She said that in the mDL space, there's a lot of emphasis on determining trust in the wallet
John noted that Microsoft, Google, and Apple are likely to have different attestation formats
John said that the issuer isn't the Wallet
Kristina plans to write a PR adding an attestation claim
John and George talked about the differences in trusting apps, software providers, wallets, and issuers
And the relationship to trust frameworks
Kristina asked George to write a comment on the separation between IdP software and the entity
John is concerned that every issuer will have their own wallet
There was no opposition on the call to merging PR #120
#1429: Replace JWK Thumbprint URI with JWK URI
Mike summarized the discussions so far for John, etc.
He talked about "sub" needing to be stable and of modest size
John said that large "sub" values will randomly blow up RPs
David said that RPs could instead compute its own stable identifier
John said that RPs expect something stable for the subject
John observed that JWK URI is sort of equivalent to having a self-contained DID in the URI
Such as did:key
John said that people could think of this a simplified self-encoded DID
Kristina said that it's different from did:key because did:key has DID Doc
She's concerned about adding a third type because less functionality is more
John said that if we can encode the key as a DID, we don't need JWK URI
David Chadwick is happy to close this in favor of PR #127
Pull Requests
https://bitbucket.org/openid/connect/pull-requests/
PR #127: Added support for JWK URI
Kristina will file an issue questioning the need for a third identifier type and link to this PR
John isn't in favor of a third identifier type
Next Call
The next call will be a regular working group call on Monday, February 28, 2022 at 3pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220224/0d2e298d/attachment.html>
More information about the Openid-specs-ab
mailing list