[Openid-specs-ab] OpenID Connect WG meeting notes - 12/19/24
George Fletcher
george.fletcher at capitalone.com
Thu Dec 19 16:58:58 UTC 2024
For those in attendance, please review and provide and updates,
corrections, additions!
Attendance:
Mike Jones
Vladmir Dzhuvinov
Joe DeCock
Samuel Rinnetmaki
Roland Hedberg
Lukasz Jaromin
Marcus Almgren
Brock Allen
Oliver Terbu
Michael Fraser
Joseph Heenan
Steffen Allner
George Fletcher
1. Welcoming new attendees and introductions
1. Attendees each introduced themselves and what they are working on
2. Antitrust Policy
<https://urldefense.com/v3/__https://www.openid.net/antitrust__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZonoouQyA$>
and IPR Agreement
<https://urldefense.com/v3/__https://openid.net/wg/connect/__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZosBFZLS4$>
reminders
3. Upcoming Events
1. FIDO Plenary, Feb 4-6, Melbourne, Australia
2. OAuth Security Workshop
<https://urldefense.com/v3/__https://oauth.secworkshop.events/osw2025__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZookdSbaE$>,
Feb 26-28, Reykjavik, Iceland
3. IETF 122
<https://urldefense.com/v3/__https://www.ietf.org/meeting/122/__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZovKUIUDI$>,
Mar 15-21, Bangkok, Thailand
4. OpenID Workshop and IIW
<https://urldefense.com/v3/__https://internetidentityworkshop.com/__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZoRhc4l54$>,
Apr 7-10, Mountain View, California
4. Vote to Approve Proposed Third Implementer’s Draft of OpenID4VP
<https://urldefense.com/v3/__https://openid.net/foundation/members/polls/346__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZohn9KJMc$>
1. Encourage all members to visit the URL and vote
5. Call Schedule
1. Next call Thursday, Jan 2, 2025 (Atlantic)
2. Then Monday, Jan 6, 2025 (Pacific)
6. Overview of Active Specifications
<https://urldefense.com/v3/__https://openid.net/wg/connect/specifications/__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZo1-JFGKw$>
1. OpenID Connect Native SSO for Mobile Apps
<https://urldefense.com/v3/__https://openid.net/specs/openid-connect-native-sso-1_0.html__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZoawICBA0$>
(repository
<https://urldefense.com/v3/__https://bitbucket.org/openid/connect__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZoUbgqC70$>
)
2. OpenID Federation
<https://urldefense.com/v3/__https://openid.net/specs/openid-federation-1_0.html__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZoZgaMcgY$>
(repository
<https://urldefense.com/v3/__https://github.com/openid/federation__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZolDcJk_0$>
)
3. OpenID Federation Extended Subordinate Listing
<https://urldefense.com/v3/__https://openid.net/specs/openid-federation-extended-listing-1_0.html__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZoZ0EqHTY$>
(repository
<https://urldefense.com/v3/__https://github.com/openid/federation-extended-listing__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZoYBvKm7I$>
)
4. OpenID Federation Wallet Architectures
<https://urldefense.com/v3/__https://openid.net/specs/openid-federation-wallet-1_0.html__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZowEXUYVs$>
(repository
<https://urldefense.com/v3/__https://github.com/openid/federation-wallet__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZokngVuz0$>
)
5. OpenID Connect Relying Party Metadata Choices
<https://urldefense.com/v3/__https://openid.net/specs/openid-connect-rp-metadata-choices-1_0.html__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZo_fU3DSY$>
(repository
<https://urldefense.com/v3/__https://github.com/openid/rp-metadata-choices__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZocgTzcCI$>
)
7. Federation Certification
1. Report by Mike on status and plans for certification for OpenID
Federation
1. Marcus and the certification team wrote an initial set of
certification tests. Data structure validation for entity statements
2. For those who have working deployments, URL of test nodes and
trust anchor information. Useful for testing the tests and
well as ensuring
the code is working as the tests expect
3. [Marcus] the tests are started but not complete. Focusing on
metadata validation.
1. for certification purposes ... not certifying a complete
federation. certifying a single entity in a federation
2. need to address superiors and subordinates
3. in testing the Italian production endpoints... returns a
list of over 2000 entities... walks the list and validate
subordinates and
entities
1. test suite is not designed to handle list of this size
4. [Lukasz] should the test suite be tested with different size
federations
5. [Marcus] the issue is how to test very large result sets
6. [George] the problem is more about the scale of the federation
and the amount of work that is required to do all the validations
7. [Marcus] the test suite doesn't have control over the size of
the federation that is requesting certification
8. [Joseph] want to test the production federations and not QA or
test versions
9. [Samuel] are we talking of certification of software or the
deployed federation (data content)
10. [Mike] agrees with Samuel's question(s) - it's impossible to
test software without it being deployed -- always testing a deployment.
1. regarding the question of size: the list endpoint is
returning a list of the URLs of the subordinates
2. Is a list of 2000 an issue for testing a single node?
11. [Marcus] testing a single node is not an issue
1. however with the Italian federation 100's of the URLs can
not be fetched
12. [Mike] recommends sending the entities that failed to the
Italian federations
13. [Roland] there has been a request to get paginated results
from the list endpoint. Walk the list in buckets of 20 or 30 URLs
14. [Mike] the federated extended listing endpoint allows for
pagination
15. [Mike] agreement in principle between federation editors and
Marcus is to write tests for automated registration
2. Any deployments you’d like to have tested?
8. Federation Policy Operators
1. Report from Vladimir about formal analysis of policy operators
1. [Vladimir] The sec researchers from Uni Stuttgart who where
contracted by the OIDF to analyse the Federation spec did an
excellent job
and discovered important spec issues which were addressed or
are going to
be addressed soon. I understood their model has a limitation
that prevents
it from analysing a part of the Federation spec -- the metadata policy
language. Because of that, thanks to Jonas Primbs, who's a regular
presenter at the OSW, we received a contact at Uni Tuebingen and the
researchers Etienne Zink, Prof. Klaus Ostermann and Prof.
Michael Menth who
agreed to investigate and report to us how the correctness of
the policy
language can be formally analysed and proven. The objective
is to come up
with a framework (expressed as a Prolog tool) to enable us to
check the
correctness of the policy language as well as enable the evaluation of
future custom operators.
Once we have this framework / tool or least the a preliminary
indication that the policy language is correct, we'll be able to fully
respond to PRs 129, 111, 112 and 11.
2. Issues and PRs
1. https://github.com/openid/federation/issues/129
<https://urldefense.com/v3/__https://github.com/openid/federation/issues/129__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZo6-JJT1c$>
Clarify
where combination rules apply
2. https://github.com/openid/federation/pull/111
<https://urldefense.com/v3/__https://github.com/openid/federation/pull/111__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZoHYVDs-w$>
Combining
“add” and “superset”
3. https://github.com/openid/federation/pull/112
<https://urldefense.com/v3/__https://github.com/openid/federation/pull/112__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZobPAkdl4$>
Combining
non-conflicting values
4. https://github.com/openid/federation/issues/11
<https://urldefense.com/v3/__https://github.com/openid/federation/issues/11__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZonCq78uQ$>
Notes
on metadata policy operators
5. https://github.com/openid/federation/issues/35
<https://urldefense.com/v3/__https://github.com/openid/federation/issues/35__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZoiBgcY8w$>
Metadata
policy on JSON object values
9. Newer Federation Issues
1. https://github.com/openid/federation/issues/167
<https://urldefense.com/v3/__https://github.com/openid/federation/issues/167__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZoKgYAVic$>
Privacy
Considerations
2. https://github.com/openid/federation/issues/166
<https://urldefense.com/v3/__https://github.com/openid/federation/issues/166__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZo2j0W1jQ$>
Trust
Mark Validation
3. https://github.com/openid/federation/issues/165
<https://urldefense.com/v3/__https://github.com/openid/federation/issues/165__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZoGHcxbdI$>
Use
of Duplicate Trust Mark IDs
4. https://github.com/openid/federation/issues/147
<https://urldefense.com/v3/__https://github.com/openid/federation/issues/147__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZoQPlWKeU$>
Client
Authentication and Automatic Registration
5. https://github.com/openid/federation/issues/100
<https://urldefense.com/v3/__https://github.com/openid/federation/issues/100__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZoWaXW058$>
Federation
Integrity issue
1. For context, see Vladimir’s post
https://connect2id.com/blog/how-to-link-an-app-protocol-to-an-openid-federation-trust-layer
<https://urldefense.com/v3/__https://connect2id.com/blog/how-to-link-an-app-protocol-to-an-openid-federation-trust-layer__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZorwF0ra8$>
10. Publishing next version of OpenID Federation Extended Subordinate
Listing
<https://urldefense.com/v3/__https://openid.net/specs/openid-federation-extended-listing-1_0.html__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZoZ0EqHTY$>
1. https://github.com/openid/federation-extended-listing/pull/7
<https://urldefense.com/v3/__https://github.com/openid/federation-extended-listing/pull/7__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZotjg44Ns$>
Editorial
updates
11. Next steps for OpenID Federation Wallet Architectures
<https://urldefense.com/v3/__https://openid.net/specs/openid-federation-wallet-1_0.html__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZowEXUYVs$>
1. What issues at https://github.com/openid/federation-wallet/issues
<https://urldefense.com/v3/__https://github.com/openid/federation-wallet/issues__;!!FrPt2g6CO4Wadw!JmZyTpib-gLgKfbYtzgovkuoT5bcCf2MG3IBrEzWDFC1k2OKXdwVgA7cTFHbRx2APaBR5loHiqAJ6MVIZfavS-8AdeZcnQZoA4MKkqw$>
to
tackle next?
12. Assuming we still have time, anything else!
1. Issue #100 ?? - See item 9.e
1. Federation integrity: <Valdimir insert link please:)>
1. [Marcus] security researchers validating 4 security
properties. 3 ok, the 4th "Federation Integrity" didn't
1. trust anchor mixup -
2. Do we need to prove this security property in a
federation? Researchers feel this is blocking them.
2. [Vladimir] desire to provide OpenID Federations to prove the
"federation integrity" if the federation desire it
1. provide two trust chains <i missed the rest of this>
2. What changes are required to support this will require
more work
2. Conformance tests for federations
3. Performance of very large result sets
4. Native SSO for Mobile Apps
1. Publish a draft that works the way it does now. George to clean
up the current draft.
2. Wait for the new year to look at removing dependance on the
id_token in the spec
assistant: [image: email] kimberly.east at capitalone.com
______________________________________________________________________
The information contained in this e-mail may be confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20241219/069d5698/attachment-0001.htm>
More information about the Openid-specs-ab
mailing list