[Openid-specs-ab] SIOP Special Topic Call Notes 3-Nov-22

Mike Jones Michael.Jones at microsoft.com
Thu Nov 3 19:55:08 UTC 2022 

SIOP Special Topic Call Notes 3-Nov-22

Mike Jones
Daniel McGrogan (Workday)
Daniel Godbout (Microsoft)
George Fletcher
Joseph Heenan
Daniel Fett
David Chadwick
Kristina Yasuda
Brian Campbell
Petteri Stenius
Oliver Terbu
Jeremie Miller
Gail Hodges
Torsten Lodderstedt
David Waite (DW)
Bjorn Hjelm

Issues
              https://bitbucket.org/openid/connect/issues?status=new&status=open
              #1632: Should RS have a separate metadata file from the AS?
                           It was noted that people may not be on the same page about the requirements
                           Torsten asked what to append to the issuer URL
                                         .well-known/openid-configuration may not be applicable
                                         .well-known/openid-credential-issuer is the latest proposal
                           Joseph suggested using .well-known/oauth-server-metadata
                           Daniel Godbout asked about when the issuer is a DID
                                         There's a separate issue for that: #1709
                           Mike spoke in favor of .well-known/openid-credential-issuer
                           The metadata parameters are listed in https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-09.html#name-server-metadata
                           Torsten said that the RFC 8414 parameters are also already there
                           Daniel McGrogan said that he thinks the resource metadata should be distinct from the authorization server metadata
                           DW said that most of the registered metadata values are about extending authorization server functionality
                                         Generally, APIs defined by ASs are not described in the ASs' metadata
                                         But the UserInfo Endpoint API is listed there
                           Torsten said that it's interesting that the UserInfo Endpoint is in the AS's metadata
                                         He finds it to be a practical, convenient decision
                           Torsten wonders about the complexity of splitting the AS and resource metadata into different locations
                                         He thinks that the current solution is already sufficient
                           George supported separating the endpoints
                           Joseph said that since it's resource server metadata, you'd discover it from the resource path - not the AS path
                           Torsten said that whatever it is, it's where you get the information needed to start the flow
                           Kristina said that if we're discovering OAuth AS metadata, then the OAuth path makes sense
                           Torsten said that we want to discover the credential issuer
                           Kristina suggested having a small group to discuss the issue, as was done for the metadata issue
                                         People were fine with that
                                         Brian asked to be part of the small group

OpenID Workshop
              The OpenID Workshop will be Monday, November 14th - the day before IIW, 12:30-4pm at Visa
              See registration information at https://openid.net/2022/10/24/workshop-at-visa-monday-november-14-2022/
              Register by Wednesday, November 9th

Limited Government Participation
              Gail reported that there is limited government representation amongst the 18013-7/23220-4 participants
              There's no guarantee that ISO will include the OpenID4VC specs
              There's an interop including them on December 4-5 in Brisbane
              Gail asked people who have government identity contacts for forward them to her to perhaps get statements from them in advance of the interop
                           Contact her at gail.hodges at oidf.org<mailto:gail.hodges at oidf.org>
              Kristina remarked that it's not yet determined what credential formats will be used in what contexts
                           The OpenID4VC specs are one of the few paths that enable credential format agility

Security Review
              Daniel Fett reported on a security review of the issuance specification
              There were no issues that he found
              He may file a PR with some suggestions
              He will also review the presentation spec
              Daniel McGrogan asked if the review is published
              Torsten said that the recommendation is to always use the server-provided nonce
                           Torsten volunteered to file a PR clarifying this

Pull Requests
              https://bitbucket.org/openid/connect/pull-requests/
              PR #327: clarified the definition of response mode post - Issue #1626
                           We have approvals from Mike and Joseph people
                           We're asking for Brian and/or George to also review
              PR #345: Update Introduction and Overview of OpenID4VP specification to better explain the new model
                           Mostly editorial
              PR #351: relaxed client id requirements for pre-authz code grant type
                           Additional reviews requested
              We would like to merge these three PRs in the next week

Next Call
              We may cancel the next SIOP call due to a conflict with the OAuth WG meeting at IETF in London
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20221103/10106dcd/attachment-0001.html>

More information about the Openid-specs-ab mailing list