[Openid-specs-ab] Spec Call Notes 13-Jan-22

Mike Jones Michael.Jones at microsoft.com
Fri Jan 14 00:13:49 UTC 2022 

Spec Call Notes 13-Jan-22

Mike Jones
Roland Hedberg
Rifaat Shekh-Yusef
David Chadwick
Giuseppe De Marco
Thomas Bellebaum
George Fletcher
Brian Campbell
Joseph Heenan
Bjorn Hjelm
Kristina Yasuda
Tom Jones

Introductions
              Rifaat is a product manager at Auth0/Okta.  This is his first Connect call.
              Roland Hedberg is an independent consultant and author of OpenID Connect Federation
              Giuseppe is in the Department of Digital Transformation for the Italian Republic
              Thomas is a researcher working for Fraunhofer in Germany and interested in SIOP
              David is now at Crossword Cybersecurity.  They implemented the TRAIN infrastructure from Fraunhofer.

Federation Repository
              The Federation work has moved to the Connect Bitbucket repository (off of Roland's GitHub repository)
              Mike will create a pull request migrating the one small set of changes only present in Roland's repository

Federation Issues
              #1382: Proposal of an improved Federation API
                           Giuseppe spoke in favor
                           This aligns with #1387: Operations -> endpoints
                           Roland is in favor of the refactoring
                           David is in favor of the refactoring as it aligns with TRAIN
                           Tom said that you need to stay within the same origin to get cookies
                           The working group wants a pull request that does this refactoring
              #1368: [federation_api] fetch entity statement - issuer paramenter is really required?
                           Waiting on a security review by John Bradley
              #1384: Trust Negotiation
                           Mike is concerned about having entity statements return information about things other than the subject
                           Roland said that this is about the "evaluate entity statement" operation
                                         He said that the Italian implementation wants to be able to ask one part what they think of the other
                                         This generalizes the existing functionality
                                         It returns metadata, not an entity statement
                           Mike observed that you could have an operation that walks trust chains
                                         or walk the trust chains yourself
                           David said that TRAIN has an operation to ask whether a party is a member of the federation
                           Giuseppe said that the operation would be optional
                           Roland said that it can be more efficient to have a third party do it
                           We agreed that the operation and its goals need to be more clearly specified.  That's the next step.
              #1391: Clarifications and proposals on Trust Negotiation
                           This proposes terminology clarifications/unification
                           Giuseppe will make a list of proposed changes in the issue
              #1366: Support for "immediate" exclusion of an entity from a federation
                           This would add a revocation operation
                           It would give an operation to check whether an entity is still part of the federation
                           The trust anchor could issue a new kind of trust mark and have an operation to test inclusion
                           Roland said that it's simpler than introspection
                                         He said that it's also similar to what the TRAIN project is doing
                           Giuseppe said that having a trust mark could have benefits
                           Tom said that any trust should be able to be tested in the moment
                           Giuseppe said that they don't need to do dynamic checking each time
                                         You should be able to cache results

Pull Requests
              https://bitbucket.org/openid/connect/pull-requests/
              PR #105: Trust Negotiation
                           This is related to issue #1384
                           Tom says that this appears to violate the zero trust model
                           Roland says that the operation could be used to determine whether to do the evaluation yourself
                           We agreed that the operation and its goals need to be more clearly specified.  That's the next step.

PKCE and Certification Question
              #1362: alignment of certification tests with OAuth 2.1
                           Mike said that the suite already checks that PKCE usage doesn't cause failures
                                         Joseph confirmed that
                           Joseph said that requiring PKCE at the OP would break any RPs not using PKCE, which is the majority
                                         Mike said this would be a breaking change, bifurcating our ecosystem
                           We ran out of time at this point and agreed to continue discussing the topic

Next Call
              The next Connect call will be Monday, January 17, 2022 at 3pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220114/c0c651f0/attachment.html>

More information about the Openid-specs-ab mailing list