[Openid-specs-ab] SIOP Special Topic Call Notes 8-Sep-22

Torsten Lodderstedt torsten at lodderstedt.net
Fri Sep 9 15:10:20 UTC 2022 

Hi Mike,

please find one comment below. 

best regards,
Torsten.

> Am 09.09.2022 um 01:42 schrieb Mike Jones via Openid-specs-ab <openid-specs-ab at lists.openid.net>:
> 
> SIOP Special Topic Call Notes 8-Sep-22
>  
> Kristina Yasuda
> Mike Jones
> Petteri Stenius
> David Chadwick
> Torsten Lodderstedt
> David Waite (DW)
> Jeremie Miller
> George Fletcher
> Kaliya Young
> Brian Campbell
> Paul Grehan
> Bjorn Hjelm
>  
> Pull Requests
>               https://bitbucket.org/openid/connect/pull-requests/ <https://bitbucket.org/openid/connect/pull-requests/>
>               PR #294: clarifying that aud is not required in a signed request in SIOPv2, issue #1602
>                            Kristina said that the SHOULD is problematic for testing
>                             Torsten said that we changed SIOPv2 so that the issuer and the subject match

however RPs can identify the SIOP implementation/service they intend to use. In case of dynamic discovery that would be a normal HTTP URL. In static case, we can use https://self-issued.me/v2 or the concrete custom scheme used for invocation. 

>                            Torsten said that as long as you can resolve the issuer, everything's fine
>                            Kristina will update the PR
>               PR #295: OpenID4VCI editorial
>                            Kristina will merge it after the call
>               PR #293: Separated binding method from attestations (Issue #1585)
>                            Kristina updated the PR
>                            John Bradley suggested being more specific
>                            Torsten added an example
>                            Torsten said that we should add more on binding format
>                            Kristina plans to remove binding material
>                            Kristina to update
>                            There was a discussion on the differences between attestation and binding
>                                          Jeremie said that they serve different purposes
>                                          Jeremie said that like Torsten, he wants to see an example
>                            We also discussed the differences between key attestation and device attestation
>                            George asked what the purpose of the attestation is and what we're trying to attest to
>                            Kristina said that Google uses SafetyNet in their mDL issuance
>                            Torsten said that this PR is about key attestation
>                                          He said that it should be a separate PR for device attestation
>                                          He asked for an example that we can talk about
>                            Tosten posted this for background: https://developer.android.com/training/articles/security-key-attestation <https://developer.android.com/training/articles/security-key-attestation>
>               PR #269: multiple credentials in the initiate issuance request (Issue #1569)
>                            To be merged
>               PR #285: Adding batch credential endpoint: fixes #1544
>                            Torsten, Kristina, and Mike asked for clarifications
>               PR #243: Ordering claims in OP Metadata (Issue #1593)
>                            David Chadwick said that order is for display purposes
>                            David will update the PR
>               PR #232: Support for Informed Consent in the OIDC4VCI protocol between the wallet and the issuer
>                            This introduced a new consent model
>                            There are four requests for changes
>                            Kristina suggested that we should decline this for now
>                            David wants it to be recorded that his consent model isn't in the protocol
>                                          He said that consent is out-of-band
>                            Torsten said that consent is being established between the user and the server
>                                          There isn't a protocol aspect to that
>               PR #240: Add "type" to OP Metadata (Issues #1566, #1592, #1628)
>                            There are three requests for changes
>                            Torsten would prefer to have the type under the format object
>                                          Then we wouldn't have to invent our own types
>                            David Chadwick said that the type is independent of the format
>                                          He wants the type to be at the top level
>                                          He wants it to be a mandatory property
>                                          Kristina agrees that the type needs to be mandatory
>                            Torsten said that in W3C VCs, the type is represented in the credential
>                            Torsten said that we did not agree that the type is a mandatory part of the metadata
>  
> Issues
>               https://bitbucket.org/openid/connect/issues?status=new&status=open <https://bitbucket.org/openid/connect/issues?status=new&status=open>
>               We ran out of time to discuss other issues
>  
> Next Call
>               The next call will be Monday, September 12, 2022 at 4pm Pacific Time
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> https://lists.openid.net/mailman/listinfo/openid-specs-ab <https://lists.openid.net/mailman/listinfo/openid-specs-ab>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220909/07f19bfa/attachment.html>

More information about the Openid-specs-ab mailing list