[Openid-specs-ab] Call for Working Group Adoption of OpenID Federation Wallet Architectures 1.0

Kristina Yasuda yasudakristina at gmail.com
Fri Aug 9 16:14:36 UTC 2024 

Hi All,

Unfortunately, I do not support adoption of this draft in its current form.

I agree that "OpenID Federation entity types for digital wallet
architectures" has to be defined. However, this draft in its current form
seems to be doing much more than what is listed in the abstract.

*Please do not adopt this draft until all the changes that define OpenID4VP
or OpenID4VCI parameters that are not currently defined in those specs
right now are removed from this document. *Regarding which parts
specifically, would cause confusion and will impact interoperability, my
observation matches those listed in Joseph's email below.

Also, some parts of the document resemble the profile of OpenID4VP/VCI,
where you do not define a new parameter, but repeat the parameters already
defined in OpenID4VC specs. I do not have a strong opinion which way to go,
but if you would like to keep those, please modify the abstract and clarify
that that's what is happening.

I also have concerns with the process, or put it another way, I worry that
my feedback would not be addressed appropriately.

The call of adoption started without properly discussing Joseph's concerns
posted before call of adoption (
https://lists.openid.net/pipermail/openid-specs-ab/2024-July/010347.html),
and the minutes of a Connect WG call where the call for adoption started
does not even mention Joseph's feedback:
https://lists.openid.net/pipermail/openid-specs-ab/2024-August/010352.html.
Yes, Giuseppe responded to Joseph's email, but the nature of the feedback
required more discussion in my opinion.

Moreover, in the minutes of a Connect WG call that happened after Joseph's
email with not supporting adoption say "[Openid-specs-ab] Call for Working
Group Adoption of OpenID Federation Extended Subordinate Listing 1.0 All
respondents so far support adoption", which could have been an oversight,
but please be precise.

The nature of the comments not supporting adoption are not something that
should be addressed after adopting the document.

(the text above is with DCP WG chair hat 'off'. now, below is with DCP WG
chair hat 'on') Next time, if a draft related to OpenID4VC or wallets come
up in the Connect WG, please mention it in the DCP WG. I think this work
needs to be discussed in DCP WG, too. Please join DCP WG at your
convenience, and we will put it on the agenda.

Thank you,
Kristina


On Thu, Aug 8, 2024 at 2:01 PM Joseph Heenan via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Hi all
>
> Unfortunately I am sad to say that I do not support the adoption of this
> document as it currently stands. I would have liked to have a discussion on
> a working group call about it, but due to travel I’m unable to join today’s
> working group call so I thought it best to express my sentiments in writing
> instead. It is unfortunate that the call for adoption was started without
> the promised discussion at a Thursday working group meeting
> <https://lists.openid.net/pipermail/openid-specs-ab/2024-August/010349.html> happening
> first.
>
> Firstly, it is important to say that I am very supportive of working on a
> profile of OpenID Federation for Wallets, and as a work like that would be
> at the intersection of the various specifications it could happen in the
> same place as the Federation specs or it could happen in the same place as
> the other digital credentials work is happening.
>
> This document however has not restricted itself to being a profile of
> OpenID Federation for Wallets, and hence it must not be adopted in the
> Connect WG in its current form. Adopting it would cause considerable
> confusion for implementors and specification authors, which would be
> harmful.
>
> The following parts of the document are not solving a problem specific to
> federation and hence I believe should not be included in a “OpenID
> Federation Wallet Architecture”:
>
> 4. Wallet Instance Types (this just seems out of place in general as the
> terms defined don’t seem to be used in the rest of the specification)
>
> 6.1. Metadata for OpenID Wallet Provider (in particular the new
> ‘aal_values_supported’)
>
> 6.2 Metadata for the OpenID Credential Issuer
>
> 6.3. Metadata for OpenID Wallet Relying Party (in particular the new
> ‘request_uris’, ‘response_uris_supported’,
> ‘presentation_definitions_supported’ items are generic mechanisms that, if
> they need to be defined and solve the stated problem, should be defined in
> the VCI specification, and ‘jwks’ is little borderline and rather under
> documented as it’s not clear how in interworks with the existing
> non-federation mechanisms, e.g. the .well-known mechanism for credential
> keys defined in I think SD JWT VC)
>
> 6.3.1. Security Considerations About The Parameters request_uris And
> response_uris_supported (this section is also I believe technically
> incorrect, URL fragments don’t work like this and this is not the same way
> connect uses URI fragments in request uris, and there are good reasons why
> the JAR RFC dropped the URI fragments)
>
> 6.3.2. Security Considerations About The End-User's Data Protection Using
> presentation_definitions_supported
>
> I would say in general that the text is not clear about what is new
> normative test and what is repeating what is already normative in other
> specifications. (I have not throughly reviewed the document so I have may
> more comments in the future.)
>
> I would agree that one of two of these issues could be fixed after
> adoption, but I believe there substantive enough issues to not proceed with
> adoption until they are resolved and the overall form and intent of the
> document that is to be adopted is clearer (e.g. the document title is
> aligned with the content). I should be able to join the Thursday call in 2
> weeks time to further discuss anything.
>
> (For clarity, this email is sent with my Authlete ‘hat’ on.)
>
> Thanks
>
> Joseph
>
>
>
> On 6 Aug 2024, at 02:15, Michael Jones via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
> The OpenID Federation Wallet Architectures 1.0 specification was
> contributed to the working group last week at
> https://lists.openid.net/pipermail/openid-specs-ab/2024-July/010345.html.
> Per the decision on today’s working group call, this note starts a two-week
> call for working group adoption of the specification, running until Monday,
> August 19, 2024.  Please reply to this e-mail indicating whether you
> support adoption and providing feedback on the specification.
>
> This specification is a starting point – not an endpoint.  If adopted, it
> can and will be revised by the working group.
>
> This specification largely records what the Italian wallet deployment is
> actually doing.
>
> For your convenience, this specification is hosted at
> https://github.com/peppelinux/federation-wallet/ and rendered HTML can be
> viewed at https://peppelinux.github.io/federation-wallet/main.html.
>
>                                 -- Mike (writing as working group co-chair)
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20240809/43b75180/attachment.html>

More information about the Openid-specs-ab mailing list