[Openid-specs-ab] Meeting Notes (2025-03-27)

Fri Mar 28 03:39:24 UTC 2025

OpenID Connect Working Group Meeting Notes

Date: 2025-03-27
Location: Zoom
Attendees

   -

   Michael Jones
   -

   Nat Sakimura
   -

   Dick Hardt
   -

   Filip Skokan
   -

   Łukasz Jaromin (Raidiam)
   -

   George Fletcher

1. Security Vulnerability Discussion

Mike shared that the OAuth working group will be addressing security fixes
for the authorization server audience vulnerability (RFC 7523
<https://datatracker.ietf.org/doc/html/rfc7523>) based on discussions at
the just-completed  IETF meeting. The document requires that the audience
be the issuer identifier.

Brian Campbell wanted to do as little as possible tactically, and got a
working group vote to update the places with active vulnerabilities
(private key JWT audience). Brian did not want to update the SAML
assertions document (preferring to mark it as obsolete) or update the
client authentication JWT to require a particular audience value.  See the IETF
122 OAuth materials <https://datatracker.ietf.org/meeting/122/proceedings>
for more details.

Link to vulnerability notice:
https://openid.net/notice-of-a-security-vulnerability/
2. Web Crypto API & JOSE/COSE Algorithms

Filip Skokan sent an email about Web Crypto API updates (
https://mailarchive.ietf.org/arch/msg/jose/DaWEIOC7j3rOkHxR07_Vh9kntVY/).
The update draft will be going into the Web Incubator Community Group
(WICG).

Key points:

   -

   The Web Crypto update draft will not register new JWK types (Kty values)
   -

   It depends on what is specified in COSE and JOSE for lattice-based
   algorithms
   -

   It can reuse whatever is in the respective COSE or JOSE draft
   -

   It builds on the Algorithm Key Pair (AKP) key type being introduced

Discussion on Dilithium
<https://datatracker.ietf.org/doc/draft-ietf-cose-dilithium/> private key
formats:

   -

   NIST's ML-DSA (Dilithium) submission has two possible formats for
   private keys
   -

   The "seed" format and the "expanded" private key form
   -

   Previously JOSE and COSE were using the seed because it was smaller
   -

   Some HSMs are already shipping using only the expanded form
   -

   The LAMPS working group
   <https://datatracker.ietf.org/wg/lamps/documents/> in IETF is making the
   private key format a union of both options

Link to relevant draft:
https://datatracker.ietf.org/doc/draft-ietf-cose-dilithium/

Link to relevant COSE PR:
https://github.com/cose-wg/draft-ietf-cose-dilithium/pull/16

Mike mentioned that coordination between Web Crypto API, JOSE, and LAMPS is
occurring through people in the intersection of these groups.

Filip raised concerns about the potential explosion of applicable JWS
algorithms for ID Token. He recommended that the Web Crypto API extension
author not make new algorithm registrations for JWS and JWE, but only make
registrations where necessary for JWK.
3. Fully-Specified Algorithms Draft

The fully specified algorithms draft is advancing and now in IESG Review.
It's scheduled for the IESG telechat on Tuesday, May 8th.

This draft matters for both Connect and FAPI. FAPI 2 references it for when
it's approved to use the Ed448 algorithm registration.

Link:
https://datatracker.ietf.org/doc/draft-ietf-jose-fully-specified-algorithms/
4. Extended Authorization Profile (EAP) Working Group

Mike provided an update on the EAP working group:

   -

   Previously dormant after token binding work became defunct
   -

   Had work on ACR values for phishing-resistant authentication
   -

   These values have been stable for years but not registered in the IANA
   Registry
   -

   Mike created XSD files for authorization contexts (required for
   registration)
   -

   The “phr” (phishing-resistant) and “phrh” (phishing-resistant
   hardward-backed) values are now registered in the IANA LoA Profiles
   registry
   <https://www.iana.org/assignments/loa-profiles/loa-profiles.xhtml>
   -

   The work is now in a 2-week working group last call

ACR values registered:

   -

   phr - phishing resistant
   -

   phrh - phishing resistant hardware backed

Link to working group announcement:
https://lists.openid.net/pipermail/openid-specs-eap/Week-of-Mon-20250324/000106.html

5. Native SSO Update

George Fletcher provided a brief update on Native SSO
<https://openid.net/specs/openid-connect-native-sso-1_0.html>:

   -

   Current mechanisms are covered in Draft 7
   -

   Plan is to rewrite/restructure the draft, but work hasn't started yet
   -

   Several people have expressed interest in contributing to this work

Link: https://openid.net/specs/openid-connect-native-sso-1_0.html
6. OpenID Provider Commands Draft

Dick Hardt reported that he managed to sort through the draft check for the
OpenID Provider Commands draft.

Mike explained that the OpenID Foundation has commissioned a tool to check
document formats before publishing to openid.net/specs. Mark Haine has led
the development of this tool. Dick used the tool before its formal release
and encountered some challenges.

Next steps:

   -

   Mike will investigate with Mark whether the draft is publishable through
   the tool or needs manual publication
   -

   Dick will send an email with issues for discussion to the mailing list
   -

   The process for PRs requires discussion in issues first, then creating
   PRs that need 3 approvals and a week of review time

Link to repo: https://github.com/openid/openid-provider-commands
7. OpenID Federation

Current activities:

   -

   Pull request #191 needs one more approval:
   https://github.com/openid/federation/pull/191
   -

   The Foundation is holding an in-person interop event hosted by SUNET in
   Stockholm at the end of April
   -

   About 25 people with approximately 12 implementations are expected to
   attend
   -

   Łukasz will work on test scenarios and use cases for the interop event

Link to Federation interop announcement:
https://openid.net/openid-federation-interop-apr-28-30-2025/
8. Coordination with DCP Working Group

There's a need for coordination between the Connect working group and the
DCP working group:

   -

   DCP is trying to finish OpenID4VP 1.0 spec soon for the European
   Commission reference
   -

   Brian Campbell has a PR <https://github.com/openid/OpenID4VP/pull/401>
   that would change client_id values used in OpenID4VP with OpenID Federation
   https://github.com/openid/OpenID4VP/pull/401
   -

   Aaron Parecki has a PR <https://github.com/openid/OpenID4VP/pull/468> on
   this PR to make it better aligned with OpenID Federation
   https://github.com/openid/OpenID4VP/pull/468
   -

   Discussion will continue in next week's calls
   -

   DCP plans to discuss this on their Tuesday call
   -

   Connect plans to discuss it on its Thursday call

Relevant links:

   -

   https://github.com/openid/OpenID4VP/pull/401
   -

   https://github.com/openid/OpenID4VP/pull/468

9. Action Items

   1.

   Mike will work with Mark Haine to publish the OpenID Provider Commands
   draft
   2.

   Dick will send an email with issues for discussion to the mailing list
   3.

   Lukasz will review PR #191
   <https://github.com/openid/federation/pull/191> for OpenID Federation
   4.

   Lukasz will work on test scenarios for the Federation interop event
   5.

   Aaron will be asked about setting up weekly repository activity summary
   e-mails for Connect WG repositories

10. Next Meetings

The next meeting will be the Monday (Pacific Time) Pacific-friendly call.

Next Thursday's (Pacific Time) Atlantic-friendly meeting will include
discussions on coordination with the DCP working group regarding client ID
values in OpenID4VP and OpenID Federation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250328/40a141ce/attachment-0001.htm>