[Openid-specs-ab] Meeting notes from 19-Jun-25 Connect WG call

[Frederik Krogsdal Jacobsen]

Attendees:
Mike Jones, Avalur Venkata Monika, Frederik Krogsdal Jacobsen, Chris
Phillips, Brian Campbell, Joseph Heenan

External events:

   - IETF 123 in Madrid, July 19-25, 2025
      - Submission deadline is July 7th


New working group specification:

   - OpenID Connect Enterprise Extensions


RP Metadata Choices:

   - Review to become an implementer's draft ends in 8 days
   - Voting will start soon


EAP ACR values:

   - Passed the vote and is now a final specification
   - It defines two new acr_values for phishing-resistant authentication
   - It also defines a new authentication method value indicating that
   proof-of-possession was used


Connect Claims Aggregation:

   - Was republished, but unclear what next steps are (authors were not
   present)


Enterprise Extensions:

   - Published
   - Defines "tenant" claim, which is relevant for IPSIE and OP commands
   - Next steps might involve integration into OP commands


Ephemeral Subject Identifier:

   - Call for adoption ended today
   - Nat added some information about motivation and the relation to SAML
   on the mailing list
   - There is a proof in an ISO specification that ephemeral subject
   identifiers guarantee certain properties
   - Nat will add motivation to the spec after adoption
   - There was only positive feedback, so it will be adopted


Deferred Token Response:

   - Can be taken off as an active discussion point until further
   motivation appears on the list
   - There is ongoing discussion about use cases - let Frederik know if you
   are interested in participating
   - DCP group has stabilized the Deferred Credential Response flow, so it
   can be used as inspiration


OpenID Federation:

   - Open issues and proposed resolutions were discussed after interop event


Other business:

   - Congrats to Aaron for getting some OAuth/OIDC into the new MCP
   specification.
      - Link:
      https://www.linkedin.com/posts/aaronparecki_modelcontextprotocol-mcp-oauth-activity-7341285511312887808-mRYo
   - Question on OpenID Federation: what is issue #100 about?
      - Researchers at University of Stuttgart have identified that if you
      do a federation flow where the RP and OP choose different trust anchors,
      you don't get federation integrity, i.e. you don't share a common trust
      infrastructure.
      - This is only possible because inter-federation and membership in
      multiple federations is allowed.
      - There is a proposal to add a trust path, i.e. a sequence of entity
      IDs, in a call such that you can verify that you use a common
trust anchor.
      - There is a discussion with the researchers about redoing the
      security analysis. The editors of the spec intend to address all
      security-relevant PRs and new features before redoing the
analysis. Gail is
      managing the scope of this.
      - Chris: It is similar to proxying: how do I know which rule set to
      follow? The "standard" solution is to use the union of both rule
sets. But
      how do you know that the policy of the two trust anchors is compatible?
      - Where should the issue be discussed? It can happen in the WG call,
      in the GitHub issues, etc.
   - Another interoperability event is planned - either in person or online


Best regards,
*Frederik Krogsdal Jacobsen*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250619/46545513/attachment-0001.htm>