[Openid-specs-ab] Spec Call/SIOP Call Notes 11-Mar-22

Tim Cappalli Tim.Cappalli at microsoft.com
Fri Mar 11 16:38:08 UTC 2022 

We should discuss this more. I would caution assuming that future CTAP features will solve your cross-device PoP use case as there is no guarantee of holder, wallet, or hardware binding.

@Kristina Yasuda<mailto:Kristina.Yasuda at microsoft.com> will this be a formal agenda item in the future? Happy to discuss more if I know when the meeting will be (not trying to discuss on this specific thread).

tim

From: Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> on behalf of David Chadwick via Openid-specs-ab <openid-specs-ab at lists.openid.net>
Date: Friday, March 11, 2022 at 07:18
To: openid-specs-ab at lists.openid.net <openid-specs-ab at lists.openid.net>
Cc: David Chadwick <d.w.chadwick at verifiablecredentials.info>
Subject: Re: [Openid-specs-ab] Spec Call/SIOP Call Notes 11-Mar-22
Hi Kristina
 can I add a correction to the minutes please. Instead of

David C. described how in their implementation user sets up a WebAuthn connection with the issuer using the wallet. Ie user uses WebAuthn to log in on device A using device B, so that the Issuer can recognize device B later in the issuance flow

it should read

David C. described how in their implementation user sets up a WebAuthn connection with the issuer using the wallet. Ie user uses WebAuthn to establish a key pair in on device A (the wallet), so that the Issuer can recognize device A later in the issuance flow and in subsequent interactions e.g. to revoke, refresh or delete the credential

Many thanks

David

On 11/03/2022 09:55, Kristina Yasuda via Openid-specs-ab wrote:

David Chadwick

John Bradley

Joseph Heenan

Nat Sakimura

Torsten Lodderstedt

Brian Campbell

Filip Skokan

David Waite

Jeremie Miller

Jo Vercammen

Kenichi Nakamura

Kristina Yasuda



(Connect call notes followed by subsequent SIOP call notes)



  1.  openid / connect / issues / #1456 - scopes metadata parameter needs to be defined — Bitbucket<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fissues%2F1456%2Fscopes-metadata-parameter-needs-to-be&data=04%7C01%7Ctim.cappalli%40microsoft.com%7C6623471cdf124029e5b808da03591310%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637825979260737881%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=QFgXD4fjI06bAxf30V%2BwOS88dOreOULaSP81r%2FrcCnA%3D&reserved=0>

     *   Two options to address undefined `scopes` parameter underneath `openid_relying_party`
     *   Roland and John agrees to define a new `scopes` parameter
3.       Nat pointed out that `scope` (existing) and `scopes`(new) might be confusing and better name for scopes should be considered.



  1.  openid / connect / issues / #1433 - [oidc4vci] role of the ID Token — Bitbucket<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fissues%2F1433%2Foidc4vci-role-of-the-id-token&data=04%7C01%7Ctim.cappalli%40microsoft.com%7C6623471cdf124029e5b808da03591310%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637825979260737881%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Zlb4WGoHtX7E51tcWD%2Bl%2BAZrfdsA7%2FjenaoLV3H8Xj8%3D&reserved=0>

     *   Torsten pointed out that OIDC4VCI is different from JWT assertion spec because in OIDC4VCI Access token is opaque to the client
     *   David C. made three suggestions how to improve OIDC4VCI specification. Issues have been filed for each item.

        *   Clarify how user interacts with the wallet in the swimlane
        *   Add text on the trust model
        *   Clarify how authorization works

     *   No objections to moving oIDC4VCI to an Oauth based flow. PR would be useful


  1.  Transferring PoP across devices (discussion continued from Pacific Connect Call on Monday)

     *   Use-case being user logged into an app on device A (laptop), but wants to receive credential into an app on device B (smartphone)
     *   John said caBLE is becoming increasingly promising – being deployed across major browser OS and mobile OS
     *   David C. described how in their implementation user sets up a WebAuthn connection with the issuer using the wallet. Ie user uses WebAuthn to log in on device A using device B, so that the Issuer can recognize device B later in the issuance flow
     *   John pointed out that that usage of WebAuthn can be looked at in both ways at a higher level:

        *   Using FIDO as a proof for VP or other tokens (issue to someone who controls private keys to this public key)
        *   Purely having a stronger authentication using FIDO

     *   It was pointed out this is close to how we use sender-constraint tokens

<<transition to the SIOP call>>


  1.  openid / connect / Pull Request #128: Adds an option to make a credential request via scopes — Bitbucket<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fpull-requests%2F128&data=04%7C01%7Ctim.cappalli%40microsoft.com%7C6623471cdf124029e5b808da03591310%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637825979260787883%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=auUm0w1QsHAPqTBR9E%2FeFAaYaWgHJhtiOxNtSR63AWQ%3D&reserved=0>

     *   Merged

  1.  openid / connect / Pull Request #134: Removing an option to submit a VC in the Authorization Request (#1443) — Bitbucket<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fpull-requests%2F134&data=04%7C01%7Ctim.cappalli%40microsoft.com%7C6623471cdf124029e5b808da03591310%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637825979260787883%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=3gZThB7YVQViGSXU8L1SRTAjZIFRKjjKSX%2BpIbo0Qb4%3D&reserved=0>

     *   Waiting for Mike to come back from vacation, since he has requested changes
     *   There might be concerns around clarifying why nonce endpoint is not effective in preventing replay

  1.  openid / connect / Pull Request #101: Fetching presentation definitions from a remote repository — Bitbucket<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fpull-requests%2F101&data=04%7C01%7Ctim.cappalli%40microsoft.com%7C6623471cdf124029e5b808da03591310%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637825979260787883%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=KWcDyTpHWozOwkMjjA%2Fia28uh3GK5OJhx8IhqzbClAw%3D&reserved=0>

     *   https://bitbucket.org/openid/connect/issues/1440/choosing-how-to-transfer-presentation<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fissues%2F1440%2Fchoosing-how-to-transfer-presentation&data=04%7C01%7Ctim.cappalli%40microsoft.com%7C6623471cdf124029e5b808da03591310%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637825979260787883%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=xecTdd32pBqhmqWpH1tHpsY7l%2F6goVRgXDKuljtYz3o%3D&reserved=0>
     *   We agreed that passing presentation_definition by value should be mandatory to implement, while passing it by reference can be turned on via a new Registration/Discovery metadata
     *   We agreed that passing it by reference has a lot of value. Right now, most implementation pass by value and with request object already being passed by reference in many implementations, size of a presentation_definition is not a problem. We might revisit this set up if majority of implementations switch to passing by reference.
     *   Will merge once David C. updates a PR

  1.  https://bitbucket.org/openid/connect/issues/1451/oidc4vci-mandatory-vs-optional-credential<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fissues%2F1451%2Foidc4vci-mandatory-vs-optional-credential&data=04%7C01%7Ctim.cappalli%40microsoft.com%7C6623471cdf124029e5b808da03591310%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637825979260787883%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=QowsLHvm46TfCnlKmPjDb41ep%2B%2F7%2Bu1VPcCZ3oo3JXc%3D&reserved=0>

     *   We agreed that it is Issuer’s responsibility to ensure that all mandatory claims are included in a VC
     *   Kenichi pointed out that in mDL, user would not have much choice over optional claims, probably only over organ donation claim
     *   Selective release of optional claims might still be useful in other credential types
     *   David C. made a distinction between user providing consent in the wallet, and user providing consent directly to the Issuer
     *   John asked what if the Issuer issues more or less credentials then

  1.  https://bitbucket.org/openid/connect/issues/1453/oidc4vci-holder-binding-material-without<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fissues%2F1453%2Foidc4vci-holder-binding-material-without&data=04%7C01%7Ctim.cappalli%40microsoft.com%7C6623471cdf124029e5b808da03591310%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637825979260837874%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=hQMLfUyzZkyrCpmzs6TUL6wM4Y%2FrRVzY5Bxtf16Zudc%3D&reserved=0>

     *   Kristina described how there is a use-case for this in SMART Health Cards
     *   David C. described another use-case where credentials for multiple users are stored in one wallet (airplane ticket for example)
     *   WG agreed to document such use cases and extend specification to support them

  1.  https://bitbucket.org/openid/connect/issues/1454/oidc4vci-defining-a-credential-type<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fissues%2F1454%2Foidc4vci-defining-a-credential-type&data=04%7C01%7Ctim.cappalli%40microsoft.com%7C6623471cdf124029e5b808da03591310%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637825979260837874%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=lweSH2IJjckcSlx72kDwa9YgbxIDnaVSlucK8jXhyFM%3D&reserved=0>

     *   David C. pointed out that type in vc-data-model is defined as URI, so URIs need to be supported
     *   We ran out of time while discussing this issue, will resume with this issue at the next call

Thank you!
Kristina




_______________________________________________

Openid-specs-ab mailing list

Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>

https://lists.openid.net/mailman/listinfo/openid-specs-ab<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.openid.net%2Fmailman%2Flistinfo%2Fopenid-specs-ab&data=04%7C01%7Ctim.cappalli%40microsoft.com%7C6623471cdf124029e5b808da03591310%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637825979260837874%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=THBVdR%2FwrUwEMjs874nYoaF00qXVb7ntw%2FnJsrpilr8%3D&reserved=0>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220311/c16e8203/attachment.html>

More information about the Openid-specs-ab mailing list