[Openid-specs-ab] SIOP Special Topic Call Notes 9-Mar-23

Kristina Yasuda Kristina.Yasuda at microsoft.com
Mon Mar 13 23:08:06 UTC 2023 

Thanks a lot Brian for reviewing the PR and the feedback! To add a little color to what is in the minutes… The WG had to start ID2 review for OID4VP last week because an ISO document that references OID4VP specification is going to publication and needs a stable version to refer to. Having OID4VP referenced by an ISO document opens up a door for it being included in the government procurement process. ISO use case needed extended direct_post mechanism, so we incorporated the normative changes that introduced it. I agree with you that the text needs improvement and editors plan to make an improvement PR early this week. Would really appreciate if you and the WG could review and help brush up text for ID2 vote.

Best,
Kristina


________________________________
From: Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> on behalf of Brian Campbell via Openid-specs-ab <openid-specs-ab at lists.openid.net>
Sent: Monday, March 13, 2023 3:25:04 PM
To: Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net>
Cc: Brian Campbell <bcampbell at pingidentity.com>
Subject: Re: [Openid-specs-ab] SIOP Special Topic Call Notes 9-Mar-23

I wasn't able to join this call or the one right before it. But I was asked via a different channel to take a look at the then very recently submitted PR #474<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fpull-requests%2F474&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7C6fb9e7945508432095b708db2411e8b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143431771877130%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=GRXgfQa4p3L2cHHvI9AVRjIK6NPZLZYOg4EnMQF8oEs%3D&reserved=0> extending direct_post to support redirect back to the verifier. It had already been merged and published in draft -16 for the Public Review Period for Proposed Second Implementer’s Draft<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopenid.net%2F2023%2F03%2F09%2Fpublic-review-period-for-proposed-second-implementers-draft-of-openid-for-verifiable-presentations-specification%2F&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7C6fb9e7945508432095b708db2411e8b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143431771877130%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=ss6SS%2FIM9YF7W6sYdepdrkYrwlQkf4uIi2bLLwKVP4Q%3D&reserved=0> by the time I was able to look at it (which really wasn't a long time after). I get the intent of the PR but believe there's a lot of opportunity for improvement of the spec text, which I'd argue makes its incorporation into the public review draft premature. I added some commentary to the PR and its author has engaged (thanks Torsten!) but it has already been merged/published and I believe more than little editorial fixes are needed. So, for lack of knowing how best to engage, I'm sending this email. Just as a disclaimer or sorts - because I was asked to review it, the scope/intent of my comment here is only about that particular PR.



On Thu, Mar 9, 2023 at 3:27 PM Mike Jones via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>> wrote:

SIOP Special Topic Call Notes 9-Mar-23



Mike Jones

David Chadwick

Takahiko Kawasaki

Joseph Heenan

Bjorn Hjelm

Giuseppe De Marco

Judith Kahrer

Kristina Yasuda

Torsten Lodderstedt

Elizabeth Garber

David Waite

Oliver Terbu

Christian Frees

Sebastian Schmittner



Introductions

              Christian Frees and Sebastian Schmittner from the European EPC Competence Center GmbH (EECC) introduced themselves



Hackathon

              Torsten reported that ~20 developers participated in a hackathon last week implementing OpenID4VC



OpenID4VP

              Kristina recapped ISO's desire to ballot their Mobile Driver's license spec

                           It must point to a stable spec

                           Therefore, we need a second Implementer's Draft

              During the Connect call prior, we merged PR #427 OID4VP: client id format



Pull Requests

              https://bitbucket.org/openid/connect/pull-requests/478<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fpull-requests%2F478&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7C6fb9e7945508432095b708db2411e8b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143431771877130%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=BEckrpzyx1%2FZayuDnNh7lQIur9rxgzTMNlU1yN9%2BAeM%3D&reserved=0> Fixed JARM JWE only encryption language

                           Oliver updated a syntax error in the PR

                           Merged

              https://bitbucket.org/openid/connect/pull-requests/474<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fpull-requests%2F474&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7C6fb9e7945508432095b708db2411e8b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143431771877130%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=GRXgfQa4p3L2cHHvI9AVRjIK6NPZLZYOg4EnMQF8oEs%3D&reserved=0> Extended direct_post to support redirect back to the verifier

                           Torsten talked about the possibility of overflowing URL size restrictions

                           Joseph was concerned about whether this would work on iOS

                           Torsen showed us a flow diagram that the PR adds

                           David Chadwick and Torsten discussed a possible security consideration that could be described

                           Merged

                           Some editorial improvements may still be needed



Issues

              https://bitbucket.org/openid/connect/issues?status=new&status=open&component=SIOP&component=Verifiable%20Presentation&component=Credential%20Issuance<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fissues%3Fstatus%3Dnew%26status%3Dopen%26component%3DSIOP%26component%3DVerifiable%2520Presentation%26component%3DCredential%2520Issuance&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7C6fb9e7945508432095b708db2411e8b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143431771877130%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=FcQ6O4qQ7Twc3BS867loPr%2By29%2FX0rD3AveOfucKuYg%3D&reserved=0>

       https://bitbucket.org/openid/connect/issues/1551<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fissues%2F1551&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7C6fb9e7945508432095b708db2411e8b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143431771877130%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=lFN%2F%2BV0tsHe2Ws7gErgZutWN9Wb2buaHoIlzZwwpRPo%3D&reserved=0> Administrative Trust in the RP

                           David Chadwick requested to keep this open

       https://bitbucket.org/openid/connect/issues/1768<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fissues%2F1768&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7C6fb9e7945508432095b708db2411e8b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143431772033381%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=j1mu36989IRkONL7aG%2Fr2YYw0PIYPUVxwBRysmq3ZJQ%3D&reserved=0> simplify VP Token encoding when only one VP is returned?

                           Torsten noted that we want more feedback from implementers before doing this

                           Joseph dislikes polymorphic parameters because they can cause testing issues

                           Kristina suggested adding text saying that single values must not be returned as an array

                           Torsten thinks returning multiple VPs may be an infrequent corner case

                           We agreed for Kristina to create a PR to add this clarification and then merge it after editors' review

       https://bitbucket.org/openid/connect/issues/1537<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fissues%2F1537&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7C6fb9e7945508432095b708db2411e8b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143431772033381%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=IP%2BAkMvdz1YviuV1bZlY25JsysVItAdKpsarz0RvBPo%3D&reserved=0> Presenting VC without a VP using OpenID4VP

                           Torsten will add a comment about security considerations

       https://bitbucket.org/openid/connect/issues/1863<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fissues%2F1863&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7C6fb9e7945508432095b708db2411e8b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143431772033381%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=XyrOAJVQjAUs5LiupcQmHXNHOBUJGqMcJu8s0m795yE%3D&reserved=0> JARM JWE-only language is not consistent with JARM

                           This is addressed by PR #478

                           Oliver is closing



New Implementer's Drafts for OpenID4VCI and SIOPv2

              Mike asked when we want to create Implementer's Drafts for the other OpenID4VC specs

              Kristina said as soon as we merge the major PRs

              We discussed adding client_id_scheme to the other specs

                           We agreed to do so by reference to OpenID4VP for now

                           We might eventually break this out into its own spec



              https://bitbucket.org/openid/connect/pull-requests/384<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fpull-requests%2F384&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7C6fb9e7945508432095b708db2411e8b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143431772033381%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=nWGacutnm12pOhW%2FhEAH97Dxsbh5CVaLHIczn2D%2F5oM%3D&reserved=0> Add a cwt proof type

                           Oliver asked for clarifications on how to represent COSE_Key values

                           We discussed changing "Claim Key" to "Label"



Next Call

              The next call will be Monday, March 13th at 3pm Pacific Time

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
https://lists.openid.net/mailman/listinfo/openid-specs-ab<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.openid.net%2Fmailman%2Flistinfo%2Fopenid-specs-ab&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7C6fb9e7945508432095b708db2411e8b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143431772033381%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=DsvQby%2ByhlsXpb1gcWLJeiIDTlJIQA6fe62GVVJ1ghg%3D&reserved=0>

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20230313/abb87143/attachment-0001.html>

More information about the Openid-specs-ab mailing list