[Openid-specs-ab] AB/Connect WG (Pacific) Notes - 2025-06-23

Nat Sakimura nat at sakimura.org
Mon Jun 23 23:56:26 UTC 2025 

OpenID Connect AB/Connect WG Meeting Notes

*Date:* 2025-06-23T23:00Z
*Meeting Type:* AB/Connect Working Group Call
*Meeting Co-Chairs:* Michael Jones, Nat Sakimura
*Note Taker:* Nat Sakimura
Attendees

   - *Michael Jones* (Co-Chair)
   - *Nat Sakimura* (Co-Chair, Note taker)
   - *Nick Watson* (Google) - New to standards world, attended IETF Bangkok
   (March 2025), planning to attend Madrid IETF 123
   - *Agus Lie* (PlayStation/Sony) - First time in working group call,
   works on identity and authentication operations
   - *Edmund Jay* (Author of ephemeral subject identifier spec)
   - *Tom Jones* (Joined later in meeting)
   - *Andrii Deinega*

Administrative ItemsCode of Conduct & Policies

   - *Code of Conduct:* Reminder to treat each other with respect
   - *Antitrust Policy:* Standard reminder
   - *IPR Agreement:* All participants should have signed if sending to
   mailing list

Upcoming Events

   - *IETF 123 Madrid:* July 19-25, 2025
   - *Submission Deadline:* New specification drafts must be submitted in 2
   weeks (by July 7, 2025)

New Member IntroductionsNick Watson (Google)

   - Maintains server-side human user OAuth IDP for Google
   - New to standards world, attended first IETF in Bangkok (March 2025)
   - Will attend Madrid IETF 123
   - Working on upcoming OAuth working group drafts (to be shared within
   1-2 weeks)
   - Brought question about representing infinite duration in specifications

Agus Lie (PlayStation/Sony)

   - Works on identity and authentication operations for PlayStation and
   Sony services
   - Based in San Diego (part of server development team)
   - Attended IdentityFirst conference in Las Vegas (June 2025)
   - PlayStation has been using OpenID-based integrations since PS4 (early
   stage, some non-compliance)
   - PS5 implementation more standards compliant, though gaps remain due to
   backward compatibility needs

Technical DiscussionInfinite Duration Representation (Nick Watson)

*Issue:* How to represent infinite lifetime for tokens/sessions across
specifications

*Background:*

   - Applicable to refresh token expiration draft (OAuth working group)
   - Also relevant to IPSY working group session lifetime specification
   - Question about distinguishing between "infinite expiration" vs "spec
   not supported"

*Michael Jones' Recommendation:*

   - *Primary approach:* Omit the expiration claim entirely if no expiration
   - Spec should explicitly state that omitted claim means no lifetime bound
   - For JWTs: Use explicit typing with typ value to declare intentional
   JWT production
   - For non-JWT cases: Use authorization server metadata to indicate spec
   support

*Resolution:* Nick will draft specification language following this approach
Active Specifications Status1. OpenID Connect Relying Party Metadata Choices

   - *Status:* Currently in member vote for Implementer's Draft approval
   - *Action:* Members reminded to vote at
   https://openid.net/foundation/members/polls/367
   - *Note:* Minimum participation threshold required; abstention
   acceptable if not reviewing

2. OpenID Connect Claims Aggregation

   - *Status:* Published at
   https://openid.net/specs/openid-connect-claims-aggregation-1_0-03.html
   - *Authors:* Nat Sakimura and Edmund Jay present
   - *Next Steps:*
      - Requesting community reviews of current simplified draft
      - Planning for public review in near future
   - *Action:* Community review requested

3. OpenID Connect Ephemeral Subject Identifier

   - *Status:* Recently adopted
   - *Repository:* Created at
   https://github.com/openid/connect-ephemeral-sub/
   - *Progress:*
      - Edmund Jay has populated repository with initial version and tooling
      - Automatic builds configured
      - *Next Step:* Publish initial working group specification to
      openid.net/specs
   - *Plan:*
      - Publish adopted version first
      - Add rationale in subsequent version
   - *Action:* Edmund Jay creating publication draft, will request PR
   approval

*Use Cases Discussed (Nat Sakimura):*

   - Age verification scenarios (prove over 21 without being able to
   correlate the two visits)
   - Prevents merchant tracking across multiple visits
   - Supports *ISO/IEC 27551:2021:* "Information security, cybersecurity
   and privacy protection — Requirements for attribute-based unlinkable entity
   authentication"
   - *Link:* https://www.iso.org/standard/72018.html
   - Developed with Pascal Paillier (Paillier cryptosystem author)

*Additional Use Case (Tom Jones):*

   - Never use anything but ephemeral IDs
   - Attach appropriate credentials for the current connection duration
   - Functions as a session ID for transaction-specific interactions
   - Supports wallet scenarios where a temporary identity is needed without
   long-term tracking

4. OpenID Connect Enterprise Extensions

   - *Status:* Published at
   https://openid.net/specs/openid-connect-enterprise-extensions-1_0.html
   - *Next Steps (from Dick Hardt's email):*
      - Need PR to OpenID Provider Commands to reference tenant claim
      definition
      - Aaron is planning PR in IPSY to reference enterprise extensions
   - *Integration:* Planning integration with OP Commands and IPSIE specs

5. OpenID Connect Native SSO for Mobile Apps

   - *Status:* George Fletcher sent update message to list
   - *Issue:* No responses received as of meeting time
   - *Action:* Michael Jones will reach out to implementers (e.g.,
   Vladimir) for feedback

6. OpenID Provider Commands

   - *Status:* Dick Hardt reported "PR available" in email update
   - *Next Steps:* Review and process pending PR

7. OpenID Federation

   - *Status:* No new issues since last meeting
   - *Progress:* Full issue review completed after interop event with
   proposed resolutions
   - *Pending:* Michael Jones and Roland to create PRs for issue resolutions

8. Additional Active Specifications

   - OpenID Federation Extended Subordinate Listing
   - OpenID Federation Wallet Architectures

Membership Information

   - *Individual Membership:* $50 fee
   - *Corporate Membership:* Available for companies
   - *Voting:* Members can vote on specification approvals

Key Action Items

   1. *Nick Watson:* Draft specification language for infinite duration
   representation
   2. *Edmund Jay:* Create publication draft for ephemeral subject
   identifier spec
   3. *Michael Jones:* Approve Edmund's PR when ready
   4. *Community:* Review OpenID Connect Claims Aggregation draft
   5. *Members:* Vote on Relying Party Metadata Choices if not already done
   6. *Michael Jones:* Contact implementers for Native SSO mobile apps
   feedback
   7. *Michael Jones & Roland:* Create PRs for OpenID Federation issue
   resolutions

Next Meeting

   - *Date:* Thursday (different time to accommodate different participant
   timezones)
   - *Homework:* Participants encouraged to spend 30 minutes reading active
   drafts
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250624/ce6a1876/attachment-0001.htm>

More information about the Openid-specs-ab mailing list