[Openid-specs-ab] SIOP Special Topic Call Notes 20-Jul-23

Michael Jones michael_b_jones at hotmail.com
Thu Jul 20 15:24:43 UTC 2023 

SIOP Special Topic Call Notes 20-Jul-23

Mike Jones
Kristina Yasuda
Mike Leszcz
Felix Linkler
Brian Campbell
Bjorn Hjelm
David Waite
Dmitri Zagidulin
Joseph Heenan
Mark Dobrinic
Nander Stabel
Pedro Felix
Oliver Terbu

IETF
              The deadline to upload OAuth slides is Friday
https://datatracker.ietf.org/meeting/117/session/oauth

OSW
              https://oauth.secworkshop.events/osw2023
              Registrations are open

Digital Credentials Protocols Working Group
              The new Digital Credentials Protocols working group was approved
              There isn't a deadline to sign a new Contribution Agreement
                           One is needed if your existing agreement doesn't specify the "all working groups" option
              We likely need to continue work on some specs in the Connect working group for a bit longer
              Kristina observed that we may need to create Implementer's Drafts to transition some of the specs to the new WG

Merging Policy
              Kristina said that PRs will be merged once there are approvals from two editors and sufficient time to review
              Taka had requested that we not spend time on the calls discussing editorial PRs

Pull Requests
              https://bitbucket.org/openid/connect/pull-requests/
              PR #542: adding key proof verification steps
                           Needs additional reviews
              PR #551: feat: [OpenID4VCI] added trust_chain in proof types
                           There are enough approvals to merge
              PR #557: Adds encrypted credential response
                           Oliver believes changes need to be made based on Kristina's comment
                           Change to have the issuer request encrypted responses
                           Requested encryption "alg" and "enc" have been added to the issuer metadata
                           Brian thought it would be weird to also have a require_encryption metadata parameter
                           Brian thought that using jwks is overkill - only one key is needed
                                         Mike observed that you can tell what algorithms the recipient supports through metadata
              PR #577: add security considerations on TLS (Issue #1621)
                           We will reference the TLS BCP
              PR #455: OID4VP add train client id scheme
                           Needs additional reviews
              PR #570: clarify requirements when credential offer is not signed (issue #1687)
                           Clarifications about whether to use alg:none are needed
              PR #360: Add an access token hash to the proof of possession
                           We plan to close this unless Richard says why not to
              PR #559: Change last_name to family_name
                           Ready for merging
              PR #560: Change driver's license to driving license
                           Ready for merging
              PR #561: Tighten Introduction
                           Needs another editor approval to merge

Findings on BLE
              Felix Linkler told us about his OpenID4VP over BLE findings
              Used the Tamarin prover to analyze the protocol
              Abstracted protocol to enable modelling using a formal model
              One property is Secrecy
              Another property is Injective Agreement
              The design should meet certain security requirements against a certain adversary
                           Specify both!
              Felix will file issues requesting additions/changes
              Kristina observed that we will want to work on this spec in the new working group
                           But it's fine to file issues in the Connect working group in the meantime

Issues
              https://bitbucket.org/openid/connect/issues?status=new&status=open&component=SIOP&component=Verifiable%20Presentation&component=Credential%20Issuance
              #1923: OID4VCI: Enable issuance of the same credential type
                           Kristina asked if it would be useful to add identifiers
                           If so, also add to Credential Offer
                           The identifiers would be managed by the issuer
                                         Pedro Felix said that their meaning would be opaque to the Wallet
                           Kristina said that when the Wallet receives two identifiers, it should know to send two credential requests
                                         Kristina talked about ways that the identifiers might not be opaque
                           More reviews are requested
                           An example about multiple birth certificates for multiple children was discussed

Next Call
              The next call would be Monday, July 24th at 4pm Pacific Time but this conflicts with IETF
                           The call may be cancelled

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20230720/51d2601f/attachment-0001.html>

More information about the Openid-specs-ab mailing list