[Openid-specs-ab] FW: Meeting notes AB/Connect WG Atlantic call, 2024-05-02

Michael Jones michael_b_jones at hotmail.com
Thu May 2 15:00:00 UTC 2024 


From: Marcus Almgren <marcus.almgren at oidf.org>
Sent: Thursday, May 2, 2024 7:56 AM
To: michael_b_jones at hotmail.com; Joseph Heenan <joseph.heenan at oidf.org>; Filip Skokan <filip.skokan at oidf.org>; Bjorn Hjelm <bjorn.hjelm at oidf.org>; tim.cappalli at okta.com
Cc: openid-specs-ab at lists.openid.net
Subject: Meeting notes AB/Connect WG Atlantic call, 2024-05-02

(I put openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net> on cc here but might not be allowed to post to it, so please re-share it there if needed.)


Meeting notes AB/Connect WG Atlantic call, 2024-05-02

Participants:
Mike Jones
Filip Skokan
Joseph Heenan
Tim Cappali
Bjorn Hjelm
Marcus Almgren

Ongoing stuff in related WGs:

Mike J mentions the following topics for this WG to be aware of:

  *   A bunch of stuff has been added to [OAUTH-WG] WGLC for Browser-Based Apps

  *   There will be a second call, 2nd OAuth last call for Resource Metadata

  *   JOSE Fully-Specified Algorithms upcoming. Filip will reach out to the WG regarding pre-registration.

  *   The DCP WG is actively working on an appropriate query language for OpenID for VP. It's on the agenda for the DCP WG call following this one.

Certification tests for Federation:

  *   We met with several stakeholders regarding certification tests for Federation, Dima representing ConnectID, Giuseppe from Italy etc.

  *   Mike has a spreadsheet with 35 tests than can be executed against a deployed federation, verifying trust chains etc.

  *   It was discussed to also look at incorporating the tests from the Italian federation.

  *   The are items in both of the sources mentioned above that are not in the intersection between them. Some with backing in the spec, some not.

  *   The goal is to have a "bite-sized set of tests" that we could have available sooner rather than later.

  *   Joseph: We're waiting to get the federation spec and reference implementation from Dima.

  *   Mike: The goal is to have a set of tests that will be common for any and all implementers of the Federation spec.

Formal verification ("security analysis") of Federation:

  *   Mike Jones volunteers to be the contact person for the researchers during the formal verification work on Federation that is set to start on June 15th.

  *   For a lengthier explanation on what this is about, please refer to the section at the end of these meeting notes.

Open PRs:

  *   731, 732 by Giuseppe about pagination in subordinates. In a discussion between Dima and Michael Frasier, it was mentioned that ecosystems have features/processes to verify the "legality" of a federation participant. Currently, that is a flat data structure that perhaps doesn't capture everything needed. None of these are currently ready.

  *   Remaining open PRs are about spec refinements.

Issue tracker:

  *   2115: POST to authorization endpoint. This is currently being worked on in https://gitlab.com/openid/conformance-suite/-/issues/1293.

  *   2074: Mike speculates if this should be covered in OAuth BCP and will check with Daniel F on that topic.

***

About the formal verification of Federation:

The Foundation has engaged University of Stuttgart and their researchers to do formal verifications, or  "security analysis" of a set of specifications. There's been several rounds, for example last year it was FAPI2 message signing, DCR, DCM and FAPI-CIBA, then OpenID for VC and, most recently, the Transmitter Configuration Discovery of the Shared Signals Framework.

Each round of formal verification is split into two parts: First there is a modeling phase which consists of creating a formal model of the specification and to "identify and formalize relevant security properties and necessary assumptions in alignment with the requirements."

This phase is then followed by a phase of proving the formalized security properties within the formal model. This might lead to the identification of vulnerabilities and attacks, and in those cases, potential fixes are identified and/or underlying assumptions modified until completion of the proof.

The reason for doing these formal verifications is to promote the use and adoption of the specifications, in order to facilitate for decision-makers and various ecosystems to adopt them.

Anyway, on June 15th, this excercise will begin for the OpenID Federation 1.0 specification. The modeling phase is estimated to end on September 15th, immediately followed by the actual verification phase, and then early 2025 the proof is expected to be completed and the final report delivered.

The researchers, Tim Würtele and Pedram Hosseyni and their supervisor Ralf Küsters, are - perhaps needless to say - experienced and highly competent. But what we've seen in previous rounds is that there is a need for them to have a liaison or contact person in the working group. There might be questions, assumptions that need to be clarified, feedback from the researchers that needs to be fed back to the working group for analyis and so on. It should be that this is usually not a heavy burden. In the FAPI2 round, it was handled by Dave Tonge and in Shared Signals, Shayne Miel did it - and it's now a polite request that we find the equivalent person for this for Federation.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20240502/b1ed1f63/attachment-0001.html>

More information about the Openid-specs-ab mailing list