[Openid-specs-ab] 2024-01-18 SIOP/DCP meeting notes

Thu Jan 25 09:09:54 UTC 2024

(These were done using the Zoom AI companion and then manually fixed up a bit, so the format is quite different to the normal manually taken minutes)

Date: 18th January 2024
Attendees:
Torsten Lodderstedt
Sudesha Shetty
Mike Varley
Oliver Terbu
Paul Bastian
Judith Kahrer
Daniel Fett
Pedro Felix
David Chadwick
Fabian Hauck
Paul Bastian
Christian Bormann
Giuseppe De Marco
Kristina Yasuda
Bjorn Hjelm
Brian Campbell
Joseph Heenan
Sudesha Shetty

Torsten announced he would have less time to dedicate time to the group due to his role leading the German wallet project. As a result, Joseph was invited to join and assist with chairing. There was a lot of support and no objection to this proposal and Joseph was welcomed as a co-chair of the DCP Working group.
Authorization Details Modifications Debate
The team discussed changes to the authorization details. Torsten expressed concerns about the removal of the option to specify the format and credential type explicitly, which he believed reduced the usefulness of the authorization details. He suggested reintroducing the functionality of having a credential format and type identifier. However, Joseph, Kristina, and others argued that mandating server metadata could complicate implementation and that the current structure of authorization details already allows for out-of-band agreement between the wallet and the issuer. The team did not reach a consensus on the matter.
The meeting primarily revolved around technical aspects, focusing on metadata implementation, challenges, and potential solutions. Kristina suggested adding back format into the authorization details. The conversation then shifted to the topic of credentials and configurations, with Paul and Torsten engaging in a discussion. The topics of credential offer, and preconfiguring of credentials were discussed. Torsten also brought up the possibility of a wallet and the challenges posed by high traffic cases. 
Kristina brought up Microsoft's implementation of scopes and issue metadata, comparing it to the current approach. She expressed concerns and suggested a potential replacement in the second implementer's draft, but also noted the lack of sufficient implementation experience for this decision. Giuseppe shared about aligning the Italian implementation profile with the draft and the reaction of developers to changes. The team agreed to keep the current format and type but not make it mandatory to avoid breaking changes. The meeting, however, was characterized by a disjointed discussion with unclear topics, mentioning several unrelated subjects including software, petitions, and records. No specific decisions, alignments, next steps, action items, or open questions were identified.
The team, including Kristina, Joseph, Pedro, and Torsten, discussed what would be mandatory for authorization server's. The main point of contention was whether the server needed to support both the credential configuration and format options if it supported metadata. Kristina clarified that if the server was exposing metadata, it needed to support both options. However, if the server wasn't exposing metadata, there was no need to support the credential configuration ID. Towards the end, Pedro suggested that if the server exposes metadata, then the only supported option would be the credential configuration ID, making the server easier to implement.
Kristina suggested that the change should not be implemented before ID. There were concerns raised about the attractiveness of meta data and the requirements for critical configurations. Kristina clarified that the issue was not about questioning the value of metadata, but acknowledging that there are some implementations that are not using metadata. David pointed out that fetching metadata is an extra exchange that needs to be done. The team agreed to revisit the issue within a week.
Kristina discussed the decision to provide two options for metadata configuration, which should satisfy developers. Later, Giuseppe brought up a concern raised by an expert group about the need for multiple wallet attestation for credential issuance. This led to a discussion about the potential problems and differing opinions on the matter.

Kristina announced the results of a poll for call times, with the Europe-friendly call to start an hour later each week, and the Asia-friendly call to be weekly for the first few months then reviewed depending on attendance. She also urged the team to continue reviewing the VCI draft until the foundation-wide review begins, after which the focus will shift to the VP.
Next steps
• Discuss and decide on the mandatory use of server metadata in the protocol.
• Consider adding the format back into the authorization details for now, as it is not mandatory.
• Kristina will send out an email with the poll results and adjusted meeting times.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20240125/d7c98dda/attachment-0001.html>