[Openid-specs-ab] Spec Call Notes 27-Nov-23

Tue Nov 28 00:06:02 UTC 2023

Spec Call Notes 27-Nov-23

Mike Jones
Victor Lu
Dima Postnikov
Tom Jones

DCP Pacific-friendly call time
              There have been requests to institute a Pacific-friendly DCP call
              As data points
                           This call is at 4pm Pacific Time
                           For Dima in Eastern Australia, this call is 10am.  He could make 8am or 9am his time as well.
                           For New Zealand, this call is at noon
                           For Japan, this call is at 8am
              Look for a Doodle poll

Dima led a discussion on allowed claims and Client Registration
              He'd spoken with Nat and Mark Haine about it
              ConnectID runs an ecosystem where a central authority accredits RPs
                           Including what claims they're eligible to receive
                           They're using a software_statement at client registration time
              What to do if an RP requests a claim that it's not eligible for?
                           It's not an error to not receive a requested claim
                           Not having consent to release a claim is another reason to not return a claim
              There's also unmet_authentication_requirements
                           https://openid.net/specs/openid-connect-unmet-authentication-requirements-1_0.html
              RFC 6749 talks about being able to ignore scopes
                           https://www.rfc-editor.org/rfc/rfc6749.html#section-3.3
                           And it defines invalid_scope
                                         The requested scope is invalid, unknown, or malformed.

Pull Requests
              https://bitbucket.org/openid/connect/pull-requests/
              PR #667: fix: [Federation] Subordinate Entity definition
                           Merged
              PR #672: [Federation] Tighten Client Registration section
                           Merged
              PR #673: [Federation] Tightened appendix examples
                           To be merged after resolving merge conflicts
              PR #674: [Federation] security consideration - rewording and static trust chain
                           How can we prevent resource consumption attacks?
                           More reviews requested
                           Tom said that these are a form of denial of service attacks

Open Issues
              https://bitbucket.org/openid/connect/issues?status=new&status=open&status=submitted&is_spam=!spam
              #2088: [Federation] tls_client_auth as a request authentication method
                           Discussions on use of the Subject Alternative Name
                           Tom said that some of this information isn't even surfaced to the application
                           Mike wondered how these decisions relate to those made in https://www.rfc-editor.org/rfc/rfc8705.html
                                         OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
                           It would be good to have John Bradley look at this

Next Call
              The next call is scheduled for Thursday, November 30, 2024 at 7am Pacific Time
                           However this conflicts with the IESG telechat, so Mike will likely not be able to attend
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20231128/8c9867fe/attachment-0001.html>