[Openid-specs-ab] [External Sender] Re: Spec Call Notes 24-Oct-22

Tue Oct 25 14:02:35 UTC 2022

Thanks for the updates Kristina. I left a few comments in the PR.

One other high-level thoughts I had after the WG discussion is, that in the
case of Device Auth, new parameters were defined. In this
cross-user_agent/device use case, it's a bit more like the Device Auth
flow. I don't know if that is helpful to the editors as you all consider
existing or new parameters. The Device Auth flow does not define how the
second user-agent/device authenticates/consents (left out of scope). In
this VP case, we are looking to standardize that other flow. I don't know
that I have a strong position one way or another, it's just an additional
perspective to consider.

Thanks,
George

On Tue, Oct 25, 2022 at 3:40 AM Kristina Yasuda via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Response_mode=post PR has been updated with the new value direct_post and
> better description: https://bitbucket.org/openid/connect/pull-requests/327
> <https://urldefense.com/v3/__https://bitbucket.org/openid/connect/pull-requests/327__;!!FrPt2g6CO4Wadw!J4KNBJMskgPJj0WiqrbB1r380ztP4mHgIRYtG2cDomi1-D_w92E9BOhznjq5h_VmMj0urFxCvejDe4sTM7dtsubM6-ZAD1eB_S0wt8w$>
>
> We will discuss with the editors wrt defining a new parameter vs reusing
> response_mode.
>
>
>
> Inspired by the discussion, also did an editorial PR clarifying concepts
> in OpenID4VP spec: https://bitbucket.org/openid/connect/pull-requests/327
> <https://urldefense.com/v3/__https://bitbucket.org/openid/connect/pull-requests/327__;!!FrPt2g6CO4Wadw!J4KNBJMskgPJj0WiqrbB1r380ztP4mHgIRYtG2cDomi1-D_w92E9BOhznjq5h_VmMj0urFxCvejDe4sTM7dtsubM6-ZAD1eB_S0wt8w$>
>
>
>
> Cheers,
>
> Kristina
>
>
>
> *From:* Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> *On
> Behalf Of *Mike Jones via Openid-specs-ab
> *Sent:* Tuesday, October 25, 2022 12:28 AM
> *To:* openid-specs-ab at lists.openid.net
> *Cc:* Mike Jones <Michael.Jones at microsoft.com>
> *Subject:* [Openid-specs-ab] Spec Call Notes 24-Oct-22
>
>
>
> Spec Call Notes 24-Oct-22
>
>
>
> Mike Jones
>
> Vittorio Bertocci
>
> George Fletcher
>
> Kristina Yasuda
>
> Dima Postnikov
>
> Tom Jones
>
> David Waite (DW)
>
>
>
> Errata Updates
>
>               Mike created 7 errata PRs
>
>                            They have [Errata] at the beginning of the
> subject line
>
>                            He plans to merge them in a week after they
> were created unless comments are received
>
>                            He noted that in the past, he simply pushed
> errata updates to master
>
>                                          Because the working group had
> already decided how to address them
>
>                                          Given the WG's increasing use of
> PRs, he created PRs this time to enable people to comment before merging
>
>               Addressing the open errata issues is part of preparing for
> ISO PAS submission
>
>               See the open errata issues at
>
>
> https://bitbucket.org/openid/connect/issues?status=new&status=open&milestone=Errata
> <https://urldefense.com/v3/__https://nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fbitbucket.org*2Fopenid*2Fconnect*2Fissues*3Fstatus*3Dnew*26status*3Dopen*26milestone*3DErrata&data=05*7C01*7CKristina.Yasuda*40microsoft.com*7Cf3814bd398044e7861c308dab65a6b88*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C638022796813293038*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000*7C*7C*7C&sdata=LqNCHh5CZtjvOnmbW3b4l4W2uaUlSGfEEa1cSbYFxAU*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!FrPt2g6CO4Wadw!J4KNBJMskgPJj0WiqrbB1r380ztP4mHgIRYtG2cDomi1-D_w92E9BOhznjq5h_VmMj0urFxCvejDe4sTM7dtsubM6-ZAD1eBpRvDhPA$>
>
>
>
> Pull Requests
>
>               https://bitbucket.org/openid/connect/pull-requests/
> <https://urldefense.com/v3/__https://nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fbitbucket.org*2Fopenid*2Fconnect*2Fpull-requests*2F&data=05*7C01*7CKristina.Yasuda*40microsoft.com*7Cf3814bd398044e7861c308dab65a6b88*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C638022796813293038*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000*7C*7C*7C&sdata=cwEROrtI*2Bdbl6tnhnYGXKvdURLm9Mxp9sef4bt*2BqHlE*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!FrPt2g6CO4Wadw!J4KNBJMskgPJj0WiqrbB1r380ztP4mHgIRYtG2cDomi1-D_w92E9BOhznjq5h_VmMj0urFxCvejDe4sTM7dtsubM6-ZAD1eB61vT7Aw$>
>
>               PR #335: chore: [Federation] disambiguations on the
> federation entity role
>
>                            We need to address Roland's comments
>
>               PR #327: clarified the definition of response mode post -
> Issue #1626
>
>                            Kristina requested that George review
>
>                            We discussed the naming suggestions from the
> 13-Oct-22 SIOP special topic call
>
>                                          George is good with Joseph's name
> direct_post
>
>                            This is different from other response modes
> because it can cross devices, rather than use a redirect
>
>                            George said that direct_post is the only mode
> that makes sense cross-device
>
>                            George said that direct_post with a cloud
> wallet is an interesting context
>
>                            Vittorio asked whether there are any other
> response types or response modes that result in cross-device flows
>
>                                          He's not sure why we're trying to
> reuse an existing parameter rather than defining a new one
>
>                                          He said that using a client as an
> authorization server is confusing
>
>                                                        Kristina said that
> it's well-defined for a native application to be able to do both
>
>                                          He doesn't see a security issue -
> he just finds it to be unnatural
>
>                            Kristina said that these differences are why
> the introduction to OpenID4VP is long
>
>                                          The PR is an attempt to describe
> this better
>
>                            Kristina said that developers have successfully
> built and deployed the specification
>
>                            The form_post response mode is defined at
> https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html#FormPostResponseMode
> <https://urldefense.com/v3/__https://nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fopenid.net*2Fspecs*2Foauth-v2-form-post-response-mode-1_0.html*23FormPostResponseMode&data=05*7C01*7CKristina.Yasuda*40microsoft.com*7Cf3814bd398044e7861c308dab65a6b88*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C638022796813449288*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000*7C*7C*7C&sdata=672av00AAkBJhRKpXkFvbQzvZnCGfWYkqBozQOoCRJw*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!FrPt2g6CO4Wadw!J4KNBJMskgPJj0WiqrbB1r380ztP4mHgIRYtG2cDomi1-D_w92E9BOhznjq5h_VmMj0urFxCvejDe4sTM7dtsubM6-ZAD1eBDiezAZY$>
>
>                            The response_mode parameter is registered with
> IANA
>
>                                          The response mode values are not
>
>                            George suggested adding more context about the
> roles that are being played by different parties
>
>                                          George agreed to make a comment
> on the PR
>
>
>
> Issues
>
>
> https://bitbucket.org/openid/connect/issues?status=new&status=open
> <https://urldefense.com/v3/__https://nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fbitbucket.org*2Fopenid*2Fconnect*2Fissues*3Fstatus*3Dnew*26status*3Dopen&data=05*7C01*7CKristina.Yasuda*40microsoft.com*7Cf3814bd398044e7861c308dab65a6b88*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C638022796813449288*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000*7C*7C*7C&sdata=sTBJmEnBoI0J8OzAK2xUAjiglsxqA74C8tXjEJXNf1I*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSU!!FrPt2g6CO4Wadw!J4KNBJMskgPJj0WiqrbB1r380ztP4mHgIRYtG2cDomi1-D_w92E9BOhznjq5h_VmMj0urFxCvejDe4sTM7dtsubM6-ZAD1eB__PJZok$>
>
>               #1681: [Federation] FAPI prohibits RS256
>
>                            Mike reported that the Federation editors
> agreed to the following resolution:
>
>                            “Implementations SHOULD support signature
> verification with RS256 because OpenID Connect Core requires support for
> RS256;
>
>                            Federations MAY also specify different
> mandatory-to-implement algorithms.”
>
>
>
> Next Call
>
>               The next call is the SIOP Special Topic on Thursday, October
> 27th at 7am Pacific Time
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
>
> https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-ab__;!!FrPt2g6CO4Wadw!J4KNBJMskgPJj0WiqrbB1r380ztP4mHgIRYtG2cDomi1-D_w92E9BOhznjq5h_VmMj0urFxCvejDe4sTM7dtsubM6-ZAD1eBgZNkdSQ$
>
>

______________________________________________________________________

The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20221025/b19530d2/attachment-0001.html>