[Openid-specs-ab] SIOP Special Call Notes 24-Feb-22

[Mike Jones]

SIOP Special Call Notes 24-Feb-22

Mike Jones
Joseph Heenan
David Chadwick
Kenichi Nakamura
Petteri Stenius
John Bradley
Jo Vercammen
David Waite

OpenID Foundation SIOP Strategy
              Kristina reported in the agenda that Jo, Kenichi, David C., Torsten, and herself have started drafting the SIOP whitepaper
              Kenichi reported that the volunteers met and created an outline
              People are assigned to write sections
              The goal is to convince stakeholders of the value of this work
                           Use cases are an important input
                                         Such as eKYC-IDA and mDL
                           Kenichi said that one stakeholder is decision makers
                           Mike observed that another stakeholder is developers and deployers
              David Chadwick said that they agreed to not get into arguments about DIDs and blockchains

Open Pull Requests
              https://bitbucket.org/openid/connect/pull-requests/
              PR #120: Issuer Handling SIOP
                           As in the general Connect call, no opposition was expressed to merging this during the SIOP call
                           Mike will merge this after the call
              PR #101: Fetching presentation definitions from a remote repository
                           The new issue #1440 has been raised about whether to have a default and what it should be

Open Issues
              #1440: Choosing how to transfer Presentation Definitions
                           We talked about defaults versus making things mandatory
                           In a comment, Jo was in favor of having one be MTI
                           John observed that for interop, people generally want an MTI value
                           People are requested to discuss the topic within the issue

Second WGLC of JWK Thumbprint URI specification
              Mike requested that people respond to the thread "[OAUTH-WG] Second WGLC for JWK Thumbprint URI document" supporting publication
                           He observed that our SIOPv2 specification has a dependency upon it
              We had a meta-level discussion on JWK Thumbprint URIs versus JWK URIs
                           We agreed to discuss that topic in the Connect WG and not at the IETF

Open Pull Requests
              PR #107: Support for federations using the termsOfUse property
                           David has updated the PR so that the examples should parse
                                         We're waiting for Torsten to verify this
                           David said that there's a companion paper giving an example of two federations and establishing trust between them
                                         Through the use of DNS pointers
                                         David e-mailed the paper on February 21st in the message "TRAIN paper"
              #1349: all/any: Relying Party Registration Metadata Error Response
                           This was in the proposed agenda but was long ago resolved
              #1436: Mental Models
                           Kristina wrote about the importance of distinguishing between user authentication and sending claims about the user
                           Jo said that this is related to the subject type choices
                           Jo said that they are currently doing an implementation and that there's some confusion about subject types
                           David request that Jo describe his confusion in an e-mail to David and will add Jo's models in the issue
                           David said that people appear to have different mental models, leading to people sometimes not understanding one another
                           Petteri, Kenichi, Joseph, and Bjorn declined to add any additional thoughts on this topic
                           John and DW agreed to comment on the issue
                           People are encouraged to continue discussion in the issue
              #1423: How is the VC replay is being addressed?
                           We reviewed the issue comments
                           David Chadwick described his group's implementation
                           David said that replay is prevented in VPs - not in VCs, which are reusable
                           John agreed with that mental model
                                         He wonders whether we're not being clear enough about something, such that Nat filed the issue
                           We probably need to clarify this in the spec
                                         The nonce isn't part of the VC - it's part of the VP
                                         We need to say where the nonce comes from in the request and where it goes in the VP
                           David and John observed that the answer may be different when using Zero-Knowledge Proofs (ZKPs)
              #1381: User with multiple devices
                           David discussed whether an OP is a VC issuer or not
                                         Mike observed that in the SIOP case, it may be a VC issuer along with possibly others
                           John said that we don't need a VC to authenticate people
                                         We can already do that with the ID Token
                           David wants to understand how to get the same VCs no matter which device you are using
                           David talked about using the subject in the VC as opposed to the subject in the ID Token
                                         John doesn't know how that would solve the multi-device problem

Next Call
              The next call will be a regular working group call on Monday, February 28, 2022 at 3pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220224/3051a126/attachment.html>