[Openid-specs-ab] SIOP Special Topic Call Notes 17-Aug-23

Joseph Heenan joseph at authlete.com
Thu Aug 17 15:05:19 UTC 2023 

Attendees:

Joseph Heenan
Michael Jones
Kristina
David Luna
Felix Linker
Mark Dobrinic
Tom Jones
George Fletcher
Bjorn Hjelm
David Waite
Mark Haine
Niels Klomp
Oliver Terbu





OAuth Security Workshop is next week. Kristina will present on VC topics, Joseph with present in VCP conformance. Felix plans to have an unconference session on the VC BLE spec security.


New digital credentials protocol working group meeting with be on 31st August. Timeslot . Both the DCP WG and the SIOP special calls will continue to run for a bit - the SIOP calls can stop once VCI / VP / etc have got to the next implementers draft as they can then move across to the new working.

SIOP call next week will go ahead as usual. [despite OSW]


PR 608 - wallet notifying of acceptance

Kristina to make some updates, otherwise people were happy.



PR 590 - fix credential error response

Kristina to update based on Joseph’s comments.

Add an extra sentence to say not to use ‘invalid_request’ when we’ve defined a more specific error.



PR 487 add ldp_vp as proof of possession

Oliver hasn’t had time to review latest updates yet - we will wait.



PR 587 - simplify the federation and trust schemes sections

We need to make clear it’s not just for w3c vc data model.



PR 603 Use numeric iat value in encoded examples

George to review



Issues:

https://bitbucket.org/openid/connect/issues/2036/add-propose-presentation-offer

This allows server to server presentation.

Mark questioned if this is necessary as usually such identities are presented by a person acting on behalf of the entity. Needs to be further discussed when Paul Bastian is on the call.


https://bitbucket.org/openid/connect/issues/2020/openid4vci-userpin-description-and-length

Some people had concerns; Kristina asked they add comments to the issues.

Neils commented that the user_pin_length suggestion is good.


Issue 1965

No objections on call, Kristina will create PR


Issue 1777 - VC issuance is vulnerable to unknown key share attacks

Felix would prefer a more rigorous approach and asked if defining the security properties and doing a formal analysis would be better than.

It’s not clear if the attack suggested is a real attacked or not.

Kristina suggested discussing next week at OAuth Sec Workshop.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20230817/ed4b9822/attachment.html>

More information about the Openid-specs-ab mailing list