[Openid-specs-ab] Spec Call Notes 23-Feb-23
Mike Jones
Michael.Jones at microsoft.com
Thu Feb 23 23:57:50 UTC 2023
Spec Call Notes 23-Feb-23
Mike Jones
Filip Skokan
Brian Campbell
Nat Sakimura
John Bradley
Joseph Heenan
Bjorn Hjelm
Pieter Kasselman
Kristina Yasuda
IETF Meeting in Yokohama
The draft submission cutoff is Monday, March 13th
EIC
The deadline for EIC submissions is Tuesday, February 28th
OpenID Workshop
It will be the day before IIW - Monday, April 17th
Joint meeting with ISO/IEC JTC1/SC27
Nat said that there is interest in a joint meeting with ISO/IEC JTC1/SC27
He will raise the possibility at the next meeting
It is responsible for cryptography, identity, and privacy work
Pull Requests
https://bitbucket.org/openid/connect/pull-requests/
PR 448: [Federation] Added appendix on using Web PKI cryptographic trust
Mike needs to update this to address comments by Torsten and Kristina
Open Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open
There were no untriaged open issues
Joseph asked how scope values should be encoded in authorization requests
In particular, whether to encode the space separators as %20 or +
John said that browsers will change things, so servers need to be prepared to accept either
Certification Update
Joseph updated us on work that the certification team is doing
The main current focus is the FAPI 2 tests
Saudi Arabia is using FAPI 1 Advanced
There are multiple certifications for Saudi institutions, with more to come
They are also testing RPs
Brazil is mandating RP certification for open insurance
Filip asked about OpenID Connect certifications
Joseph said that new Connect certifications have been slow
Joseph said that the majority of their time is going to ecosystem-specific certifications
Mike asked about testing for OpenID4VC and Federation
There is funding in the OpenID budget for these, plus some directed funding for OpenID4VC
Joseph said there's not yet clarity on what tests should be created
Mike reminded us that it's the job of the working group to define certification test criteria
https://bitbucket.org/openid/connect/issues/1464/conformance-testing-for-siop-vp links to a doc on eKYC Conformance Testing and Certification
There's a new certification team member coming on next month
Implementation bug for encrypted refresh tokens
John asked about a bug in validating encrypted refresh tokens in a Microsoft system
https://securityboulevard.com/2023/02/technical-advisory-azure-b2c-crypto-misuse-and-account-compromise/
https://www.praetorian.com/blog/azure-b2c-crypto-misuse-and-account-compromise/
Microsoft fixed their implementation
We believe this was an implementation bug - not a protocol bug
John reiterated that encryption without signing is not sufficient
Kristina said that ISO wants encryption using ephemeral keys (which isn't related to the bug)
Kristina and John have performance concerns with that
OpenID4VCI Implementer's Draft Plans
On a recent SIOP call, there was agreement to take OpenID4VCI to Implementer's Draft
Kristina said that Taka has been filing good issues
We may address some of them before going to Implementer's Draft
Mike said that we typically do a 1-2 week working group last call on proposed Implementer's Drafts
OpenID draft template
Bjorn asked if there is a template for creating new OpenID specifications
Mike said that there isn't - people typically just take an existing spec and change it
Bjorn said that the MODRNA working group is planning on an extension to CIBA
Next Call
The next call will be Monday, February 27th at 3pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20230223/a71f361f/attachment-0001.html>
More information about the Openid-specs-ab
mailing list