[Openid-specs-ab] SIOP Special Topic Call Notes 29-Sep-22
Mike Jones
Michael.Jones at microsoft.com
Thu Sep 29 17:47:35 UTC 2022
SIOP Special Topic Call Notes 29-Sep-22
Mike Jones
Petteri Stenius
David Chadwick
Kristina Yasuda
Brian Campbell
Kenichi Nakamura
Gail Hodges
George Fletcher
David Waite (DW)
Joseph Heenan
Torsten Lodderstedt
Bjorn Hjelm
Planning for Implementer's Drafts
Kristina reviewed our plans to move to new Implementer's Drafts
For SIOPv2 and OpenID4VP there aren't big issues to be resolved before the next Implementer's Drafts
Editorial cleanups, etc. are planned
For OpenID4VCI, there's increasing interest in the work by others
For instance, by DIF
We want an Implementer's Draft to signify stability and convey IPR protection
Three big issues to resolve before going to Implementer's Draft:
Structure of issuer's metadata: PR #240
Separating the resource server metadata file (or not) - multiple issues
Multiple issuance endpoint
Also "cnonce", attestations, etc., which we may park until we get feedback from implementers
David said that there's still no way for a wallet to indicate exactly what it wants
For instance, only one of multiple degrees from a university
Kristina said that these are related to the multiple issuance endpoint and metadata
It's up to the issuer to decide what's mandatory and optional - not the wallet
Gail reported that the California DMV is planning to use all three specifications
They are moving very quickly
Kristina asked David Chadwick to circulate a demo to the working group that he's been showing
David C. reported that Joseph Heenan has done an initial test, achieving credential issuance
FIDO Authenticate Conference
Gail reported on sessions we'll be having at FIDO Authenticate in Seattle
We will have an overview of the OIDF strategy
We will have a deep dive on FAPI
There will be a 3.5 hour session on OpenID topics
Including OpenID4VP, GAIN, whitepapers, messages for government officials
Heather Flanagan will present on the privacy whitepaper
They will be open to OpenID Foundation members for free
There will be a November 14th OpenID Workshop the day before IIW starts
Mike asked if we've made plans for Kim Cameron award recipients at Authenticate
Don Thibeau has the action item for that
This will be the free zoom link for the OIDF plenary sessions 9-1230pm Pacific Time on Wednesday Oct 19th
This will also be sent in OIDF Twitter and Blog post. Here is the Zoom link for the OIDF sessions at the FIDO Plenary:
https://zoom.us/j/93339382688?pwd=bVQ5a1N0bjh6eU5XZ25TWjhkdXptZz09
For FIDO Authenticate there is a 20% discount for OIDF members
You can this code to sign up on the FIDO Authenticate website: 20OIDF22
OIDF talk at Authenticate will be Tuesday afternoon
IIW and OpenID Workshop
Gail updated us about IIW and the OpenID Workshop prior
OIDF Members can also get a 20% Discount on attending IIW, and the places are selling out fast so don't delay.
In spring they did sell out.
Also, here's a 20% discount code you can share with your members if they'd like to attend:
www.eventbrite.com/e/368643531727/?discount=OIDF_XXXV_20<http://www.eventbrite.com/e/368643531727/?discount=OIDF_XXXV_20>
OIDF workshop is targeted to be the day before on 11/14 but we are still waiting to confirm the location, potential at Visa office
If that does not work, we may co-locate with IIW (at their invitation)
Jobs for the Future (JFF)
David Chadwick reports that JFF will be holding an OpenID4VC plugfest next week
https://idp.research.identiproof.io
Full descriptions of all resources are here https://ngiatlantic.info
JSON Web Proofs (JWP) Virtual Interim BoF
It will be Wednesday, October 2022-10-12 from 13:00 to 15:00 America/New_York (17:00 to 19:00 UTC)
Join at https://meetings.conf.meetecho.com/interim/?short=cd2380f0-b32b-4c48-b6af-9c882205217d
Pull Requests
https://bitbucket.org/openid/connect/pull-requests/
PR #265: static configuration data in openid4vp and siopv2 (Issue #1539)
Kristina revised the PR in response to comments by David Chadwick
David Chadwick discussed the use of the profile as defaults
Mike Jones said that this is above the bar to merge
David Chadwick is happy with the wording now
He asked if we want to move the text out of the Implementation Considerations section
We decided to leave it where it is
Kristina will merge it after the call
PR #310: Clean up of SIOPv2
Kristina wrote a PR with editorial cleanups of the SIOPv2 specification
Reviews are requested
PR #240: Add "type" to OP Metadata (Issues #1566, #1592, #1628)
Kristina, Tobias, and a few others will have a call specific to this PR in the coming week and will report back
Kenichi plans to review the PR
Kenichi's concern about "doctype" is that doctype element is used to ENCAPSULATE mdoc components,
say "issuer signed item" and "device signed item"
However it does not seem to have such structure
David Chadwick remarked that the claims are in the local namespace of the credential type
PR #255: Determining if one party may be able to trust a second party.
Kristina asked if there's been progress on this PR
David said that we would only be including an URI for the trust method - not standardizing anything beyond that
He said that he's aware of four trust methods already in use
EduGain, TRAIN, OpenID Federation, yes.com
How they work is up to each scheme to define how they work
PR #299:
George said that error codes can be meaningful to two parties: developers and the code itself
The error_code is intended for information actionable by the code
The error_description is intended for developers
He said that we need to be careful not to leak useful information to attackers
Mike said that George has it exactly right
David Chadwick has the information he needs to be able to update the PR
Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open
#1632: Issuer metadata clarification needed
There's a question about whether resource server metadata should be separate from authorization server metadata
Mike said that there's not a standard for RS metadata
He wrote an individual draft that wasn't adopted by the working group
https://datatracker.ietf.org/doc/html/draft-jones-oauth-resource-metadata
Kristina said that some have asked to not use .well-known for site administration issues
George said that redirections for .well-known URLs are allowed, such as from aol.com/.well-known/openid-configuration to another URL
George advocated for using .well-known
Mike agreed
Mike said we can resurrect the OAuth resource server metadata work if we choose
Next Call
The next call will be Monday, October 3, 2022 at 4pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220929/3b6213e6/attachment.html>
More information about the Openid-specs-ab
mailing list