[Openid-specs-ab] SIOP Special Topic Call Notes 9-Jun-22
Kristina Yasuda
Kristina.Yasuda at microsoft.com
Fri Jun 10 03:50:20 UTC 2022
SIOP Special Topic Call Notes 9-Jun-22
(Thank you for taking notes, Mike!)
Kristina Yasuda
Mike Jones
Jo Vercammen
Petteri Stenius
Torsten Lodderstedt
Kenichi Nakamura
David Chadwick
David Waite
Joseph Heenan
Torsten gave a debrief on a presentation to the eIDAS expert group
Gail and Torsten presented the work on the foundation
Described spec and ecosystem work around the world
Discussed making the EU wallet happen
Mapping between EU framework and OpenID for VCs work
There were 74 in attendance, including representatives for all 26 EU member states
The presentation was very well received
Torsten thinks there's a good chance of the EU including OpenID4VCs in eIDAS2
Torsten wants to study the architecture reference framework w.r.t. "Level of Assurance High"
We need to understand the question of how OpenID can satisfy this
Kenichi said that a hardware-bound key is needed for Level of Assurance High
David Chadwick said that you also need a qualified certificate
Kristina asked for an issue to be filed on this topic
Kristina discussed the mDL ISO WG meeting last week
They're working on mDL over the Internet
OIDF members have an opportunity to join ISO mDL WGs leveraging our liaison relationship
Have requested adding Tobias and Vittorio to the ISO WG
If interested, please reach out to Kristina
Open Pull Requests
https://bitbucket.org/openid/connect/pull-requests/
PR #157: Building Trust between Wallet and Issuer
Torsten wants to merge this one - it has two approvals
We discussed the use of client authentication versus key attestation and app attestation
Torsten thinks that relying on attestations violates boundaries between componenets
He thinks that using them internally is good
He wants us to use things that are operating system independent
Torsten added sequence diagrams to the PR
David Chadwick said that FIDO supports attestations and asked if that is a conflict
Torsten said that some things are possible but not necessarily profitable
Torsten said that FIDO attestations contain information that you would not want to reveal to the verifier, such as the audience
We merged the PR
(Mike's gotomeeting client froze at this point and there's about a 10-minute gap in the notes here- Kristina filled in)
PR #189: [OpenID4VCI] #1501 encoding of the issued vc
Kristina asked if we can merge this one after she incorporates Mike's editorial comments
WG agreed
Torsten approved during the call
After the call, Kristina made the changes, including Alen's request to separate JWS Compact Serialization and JSON Serialization
Planning to merge once Alen/Mike confirms the changes meet their requests/comments
PR #196: OpenID4VPs - adapt examples to recent changes
David Chadwick suggested modifying a JWT-VC example
We discussed the VC specs's use of "nbf" versus "iat"
Some JWT-VC examples in vc-data-model specification are incorrect
After the SIOP call, Kristina updated the PR
Merged
Kristina also filed an issue in vc-data-model specification: https://github.com/w3c/vc-data-model/issues/878
Planning to publish an updated html, so that the big change to basing the protocol on OAuth 2.0 get more widely reviewed
PR #145: Revises the approach to credential metadata publishing
We looked at the examples, including specification of foreground and background colors
Torsten suggested removing a level of arrays in the structure
We discussed the right representation for claims in multiple languages
We agreed that this needs more thought
Open Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open
(We ran out of time to discuss open issues)
Next Call
The next call will be on Monday, June 13, 2022 at 4pm Pacific Time
From: Kristina Yasuda
Sent: Wednesday, June 8, 2022 6:18 PM
To: Openid-specs-ab at lists.openid.net
Subject: SIOP call agenda (2022-June-9) - Atlantic call @ 7AM PST
Hi All,
Below is a proposed agenda for the SIOP call.
We have a lot of PRs - please review :)
Comments on a first Editor's draft of the "OpenID for Verifiable Credentials" Whitepaper welcome!:
https://openid.net/wordpress-content/uploads/2022/05/OIDF-Whitepaper_OpenID-for-Verifiable-Credentials_FINAL_2022-05-12.pdf<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopenid.net%2Fwordpress-content%2Fuploads%2F2022%2F05%2FOIDF-Whitepaper_OpenID-for-Verifiable-Credentials_FINAL_2022-05-12.pdf&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7C3b248e77d0544d9ee17d08da3ef81d06%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637891533366463970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=E34znf91PYG6CtjzxRQJ%2F4Yyu2qbdHwos0W8wTkoL3A%3D&reserved=0>
- IPR reminder/recording
- Introductions/re-introductions
- Agenda bashing/adoption
- Events/External orgs (borrowed from MODERNA WG's notes, since it had a great summary)
o RSA<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.rsaconference.com%2Fusa&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7C3b248e77d0544d9ee17d08da3ef81d06%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637891533366463970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2V10jckwGbO2GuEYbTl7tAfYOOMzdTBEkJpDgFFwCpE%3D&reserved=0>, San Francisco, CA, Jun. 6-9, 2022
o Identiverse<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fidentiverse.com%2F&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7C3b248e77d0544d9ee17d08da3ef81d06%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637891533366463970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=JMn6pMgXD29xAXWlmeSAXocPpapVO95IUPMHex4MwtU%3D&reserved=0>, Denver, CO, Jun. 20-23, 2022
- PRs https://bitbucket.org/openid/connect/pull-requests/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fpull-requests%2F&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7C3b248e77d0544d9ee17d08da3ef81d06%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637891533366620228%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=I6LJDifHfSpJNDQ6rii2m8ahcOwtCzsxiJXOnuI2Gn0%3D&reserved=0>
* Discuss - please review (discussion max 15min each)
* Updated PR #145 - [OpenID4CI] Revises the approach to credential metadata publishing. Issue 1466
* want to merge as a starting point since becoming too complicated to review
* updated to separate language specific display object and claims object properties from non-specific ones
* Ready to merge PR #157: Building Trust Between Wallet and Issuer
* Want to make sure WG is aware of the specification's recommendation to sue client auth over key/app/device auth
* Please approve PR #189 - [OpenID4VCI] removing requirements for an issued credential to be a string - Issue #1501
* Please approve PR #194 - [OpenID4VP] extends RP resolution methods from SIOP to OpenID4VP
* New PR #186 - [OpenID4VP] requesting VC using scoped value
* New PR #196 - [OpenID4VPs] adapt examples to recent changes
* New PR #197 - [SIOP] adapted to recent changes
* Agreed to decline and re-open an alternative solution in another PR PR #152 - [siopv2] OP Identification/Attestation
- Issues https://bitbucket.org/openid/connect/issues?status=new&status=open&component=SIOP&component=Verifiable%20Presentation&component=Credential%20Issuance<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fissues%3Fstatus%3Dnew%26status%3Dopen%26component%3DSIOP%26component%3DVerifiable%2520Presentation%26component%3DCredential%2520Issuance&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7C3b248e77d0544d9ee17d08da3ef81d06%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637891533366620228%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=t6NUZOCa9iEWPB1U5qUjKBRy8QysQNEnVC%2FyrZkDHwU%3D&reserved=0>
* (Max 15min per issue)
* #1499: Clarify how SIOP/Open4VP can be used to present credentials offline
* #1496: OIDC4VPs: Request presentation per scope value
* #1482: Static Trust negotiation in an offline scenario
* [some have been addressed] As discussed in the previous SIOP call, editors triaged the issues to identify potential breaking changes in SIOPv2 and OIDC4VP specifications. This is important to be able to refer to these standards in ISO documents.
* Breaking
* 1470: [oidc4vp] response_type = vp_token only in OIDC4VP
* [siopv2] guidance around which claim the RP uses to re-authenticate the user, if it does (many issues boil down to this)
* 1402: [siopv2] Cross device flow w/ and w/o authorization_endpoint
* Non-breaking
* 1412: [siopv2] (optional) attestation claim to the ID Token - would not be breaking unless optional
* 1401: [siopv2] Advanced/Better discovery/registration - might be important in light of solving a NASCAR problem
* 1448: [siopv2] def of cross-device
* 1389: [oidc4vp] unify vp_formats
- AOB
Best,
Kristina
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220610/5ab868db/attachment.html>
More information about the Openid-specs-ab
mailing list