[Openid-specs-ab] Minutes for April 17th

Joe DeCock joe at duendesoftware.com
Thu Apr 17 15:27:16 UTC 2025 

Below are my notes from today's meeting. Please feel free to respond with
corrections or additions if I have misunderstood or left out anything.

-Joe


# Connect/AB Minutes for April 17, 2025

## Attendees
Mike Jones, Chair
Nat Sakimura, Chair
Joe DeCock, Notetaker
Aaron Parecki
Andy Barlow
Dick Hardt
Filip Skokan
George Fletcher
Marcus Almgren
Samuel Rinnetmäki

## Upcoming Events
### OpenID Federation Interop, April 28-30, hosted by SUNET in Stockholm
- Sign up in the attendee spreadsheet
- Run the Federation Certification Tests

## OpenID Connect Claims Aggregation
### https://bitbucket.org/openid/connect/pull-requests/745 Simplified
rewrite of Claims Aggregation
Nat: This pulls out the VP specific things, making the core simpler.
Mike: Will read and either provide feedback or merge quickly.

## OpenID Connect Relying Party Metadata Choices
### https://github.com/openid/rp-metadata-choices/issues/4 Missing choice
parameters
Filip: Did an implementation, noticed that there are parameters that could
be added.
Mike: Working on a PR for this. Should be done today.

### https://github.com/openid/rp-metadata-choices/issues/2 Interoperability
concerns with older deployments
Mike: The issue is that older deployments wouldn't understand the multiple
values, so suggestion is to add guidance (not a MUST) to include a single
value.
Filip: If this is done, guidance is then also needed to ignore the single
value for conforming deployments.
Mike: Intends to raise a PR for this soon.

## OpenID Provider Commands
https://github.com/openid/openid-provider-commands/issues

### Update from Dick
    - Did a PR for roles, pushed this morning.
    - Did another PR based on Aaron's feedback from old issues.
    - Asked about the action item from the last call to email the security
team. Contact info for the University of Stuttgart researchers was shared
and Dick later sent the email during this call.
    - Posted to list ideas around notifications: RP needs a way to notify
OP that long-running operations complete asynchronously, and that its
metadata has changed, synchronously. New idea is to split notifications:
sync vs async.

### Sync vs Async Notifications Discussion
George: Raised the concern that async looks similar to and perhaps overlaps
with SSF. He suggested that perhaps an SSF profile could describe commands,
or perhaps the OP Commands spec could add guidance to describe how to use
SSF as the transport. Raised the idea of trying to map commands onto an SSF
set.
Dick: Responds that the goal is to align commands with an ID Token rather
than an SSF set.
Aaron: Makes the point that the value of OP commands is that it is
lightweight and leverages the existing relationship between OP and RP. He
cautions against adding complexity, such as async notifications. Broadening
the scope could undermine the value of commands.
Dick: Responds that the feedback from implementers has been that they need
this. Agrees on the overall goal of simplicity.
Aaron: Returns to the larger point, that we need to avoid adding new trust
relationships or authentication mechanisms.
George and Aaron: Suggest the use of the existing client id and secret.
Dick: Notes that some clients aren't confidential. Note requiring a secret
can be valuable for ease of use/getting started.
George: Suggests that in the interest of simplicity of OP Commands,
requiring a confidential client might be the right tradeoff.
Mike: Asks that we continue the discussion on the list.

## OpenID Federation Wallet Architectures
### https://github.com/openid/federation-extended-listing/pull/10 Editorial
pass
Mike: Reviews requested. (Mostly editorial, but much text changed.)

## OpenID Federation
### https://github.com/openid/federation/pull/197 All claims we list as
possible in an Entity Statement should be listed in section 3
Mike: Reviews requested, appears to be editorial.

### https://github.com/openid/federation/pull/198 It is specifically the
trust_mark_id claims that matters
Mike: Reviews requested.

### https://github.com/openid/federation/pull/200 Clarify requirement for
exp time in Trust Anchor Entity Configuration
Mike: Reviews requested.

### https://github.com/openid/federation/issues/194 Suggest renaming
trust_mark_id to better reflect its meaning
Mike: Discuss this in person at interop event.

### https://github.com/openid/federation/issues/196 [policy operators]
subset_of and essential example table wrong
Mike: Asks for Vladimir's input on this issue.

### https://github.com/openid/federation/issues/192 Trust Chain for Trust
Anchor?
Marcus: Will add clarifying remarks to the conformance test suite.

### https://github.com/openid/federation/issues/193 Concerns around the
practicality of the requirement for an empty json object on present entity
type identifiers
Mike: Discuss this in person at interop event.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250417/b877efd4/attachment-0001.htm>

More information about the Openid-specs-ab mailing list