[Openid-specs-ab] SIOP Special Topic Call Notes 2023-07-06

Pedro Felix pedro.felix at curity.io
Thu Jul 6 15:42:02 UTC 2023 

# Attendees:

Brian Campbell
David Luna
Giuseppe De Marco
Joseph Heenan
Juan Caballero
Judith Kahrer
Kristina Yasuda
Martin Riedel
Michael Jones
Oliver Terbu
Pedro Felix
Sudesh Shetty
Torsten Lodderstedt

# External Events

- OSW coming up in London in August - https://oauth.secworkshop.events/osw2023
- IETF 117 in few weeks. Deadline for new draft versions next Monday (?).

# Pull Requests

- https://bitbucket.org/openid/connect/pull-requests/535 (adding
security considerations on the proof replay)
    - Kristina asked for approvals or requests for changes on the PR

- https://bitbucket.org/openid/connect/pull-requests/524 (add verifier
attestation JWT definition and client id scheme)
    - Observation: verifier attestation JWT is a long-lived JWT and
not a short-lived JWT, such as a Key Proof JWT.
    - Observation: verifier attestation JWT does not contain a nonce.
    - Discussion around the use of 'iat' vs. 'nbf', without a final conclusion
        - 'iat' is typically used in other JWT types.
        - However a verifier attestation JWT is similar in intent to a
X509 certificate, which uses 'not before' and 'not after'.
        - If using 'iat', then wallet should reject the verifier
attestation JWT if the 'iat' is in the future.
    - Discussion around the need to have a 'jti' and the scalability
limitation it introduces when used for replay detection.
    - No final conclusion reached. Kristina asked for more feedback in
the PR's comments.

- https://bitbucket.org/openid/connect/pull-requests/524 (add an
option to pass scope per credential in issuer metadata)
    - PR is approved and will be merged after the meeting.
    - Issue was created to continue the discussion around scopes:
https://bitbucket.org/openid/connect/issues/1981 (OID4VCI: Use of
scopes and authorization details), please comment there.

- https://bitbucket.org/openid/connect/pull-requests/551 (feat:
[OpenID4VCI] added trust_chain in proof types)
    - Giuseppe commented that both 'x5c' and 'trust_chain' should be
allowed to exist in the same JWT. Also, when using 'trust_chain' the
'kid' may still be useful to identify the used key.

- https://bitbucket.org/openid/connect/pull-requests/360 (Add an
access token hash to the proof of possession)
    - Protection is provided by the nonce, as recommended in
https://bitbucket.org/openid/connect/pull-requests/535

- https://bitbucket.org/openid/connect/pull-requests/487 (add ldp_vp
as proof of possession)
    - No comments.

- https://bitbucket.org/openid/connect/pull-requests/542 (adding key
proof verification steps)
    - Kristina asked for re-reviews.

# Issues

- https://bitbucket.org/openid/connect/issues/1814 (what metadata goes
into client_metadata parameter)
    - Giuseppe presented some motivation for the existence of signed
metadata, namely as a way to express the presentation_definition a
verifier is allowed to use/request.
    - Discussion around the use of verifier_attestation as a way to
convey these signed metadata items, namely presentation_definition.
    - Discussion around the use of presentation_definition by value or
by reference (URI).

Regards,
Pedro Felix

More information about the Openid-specs-ab mailing list