[Openid-specs-ab] Spec Call Notes 22-Sep-22

Mike Jones Michael.Jones at microsoft.com
Thu Sep 22 19:34:52 UTC 2022 

Spec Call Notes 22-Sep-22

Mike Jones
Filip Skokan
David Chadwick
Joseph Heenan
Giuseppe De Marco
George Fletcher
Mark Haine
Rifaat Shekh-Yusef
Brian Campbell

prompt=create Specification
              George updated the spec with non-normative text improvements yesterday
                           https://openid.net/specs/openid-connect-prompt-create-1_0-05.html
              The working group last call for Implementer's Draft status completed today
                           We will start the Implementer's Draft review today
              The prompt_values_supported metadata value was the last addition to the spec
              Mark Haine said that some use cases of the Identity Assurance draft are asking the IdP to perform an assurance process from scratch
                           We observed there is some semantic overlap with prompt=create
              George said that this spec sets up the structure to add other prompt values
                           Such as prompt=reverify, which could be added to the IDA-eKYC spec

Native SSO for Mobile Apps Specification
              The working group last call for Implementer's Draft status completed today
              Joseph filed a number of issues
                           George still needs to update the spec accordingly
                           One is to add the requirement to validate the ID Token
              George found some other things that need clarification
              Additional reviews are solicited
              At Identiverse, Okta talked about using it to share state between devices
                           "Frictionless authentication with mobile single-sign-on": https://www.youtube.com/watch?v=8BkblIYjegk
                           George asked if we want to keep the scope the same or expand it
                           Mike suggested we go to Implementer's Draft as-is, then discuss possible scope expansion
              Rifaat volunteered to review the draft
              Brian asked whether it makes sense to progress this document, given its dormancy
                           George said that there are multiple implementations, including at Yahoo!
                           Mike said that the working group had decided to take it to Implementer's Draft for IPR reasons
                           Then we can decide what the next steps are
              George said that the pressure from products to reduce user friction continues
                           He said that having something that's been vetted from a security perspective is important

Public Review Period for Proposed Final Unmet Authentication Requirements Specification
              The 60-day public review period is under way
                            https://openid.net/2022/09/09/public-review-period-for-proposed-final-unmet-authentication-requirements-specification/
              Nat privately asked if there were multiple implementations of the spec
              Mike said he believes that it's referenced from multiple specifications
                           Brian said that it's referenced from the OAuth step-up specification
                                         That moved to WGLC today
              Mike said that he would ask Torsten about implementations if he joins the SIOP Special Topic call in the next hour

Pull Requests
              https://bitbucket.org/openid/connect/pull-requests/
              PR #303: fix: [Federation] Federation Entity Discovery in the defined terms
                           We updated the term to "Federation Entity Discovery"
                           Merged
              PR #302 fix: [Federation] Trust Chain explanatory text made easier
                           Giuseppe said that this clarifies the composition of a trust chain
                                         The trust chain MAY contain the entity configuration of the trust anchor
                           Waiting for additional approvals - particularly, hopefully Roland and Vladimir
              PR #306: Updates to Native SSO spec
                           We requested a few changes; George will update
              PR #304: Fix pre_authorized_code to be pre-authorized_code
                           Merged

Issues
              https://bitbucket.org/openid/connect/issues?status=new&status=open
              #1637: id_token validation?
                           Joseph talked about missing signature validation
                           We discussed that the ID Token is being unbound for multiple parties
                           Brian said that there is weirdness about audience and expiration that at least needs more explanation
                           George suggested that wording about multiple devices should go into the Security Considerations
                                         and that the ID Token Validation description should go into the spec itself
              #1641 feat: [Federation] endpoint for historical federation jwks
                           Giuseppe said that those doing SAML federations brought up repudiablity of past signatures after keys have been changed
                                         He said that this may result in legal problems
                           Giuseppe said they are only proposing to retain past keys for trust anchors
                           People are requested to discuss the issue

Next Call
              The next call is the SIOP Special Topic call immediately following this call
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220922/d6791e9e/attachment.html>

More information about the Openid-specs-ab mailing list