[Openid-specs-ab] Minutes from 2025-11-20 Connect WG Call

Frederik Krogsdal Jacobsen frederik.krogsdal at idura.eu
Thu Nov 20 16:20:17 UTC 2025 

   - Meeting attendees: Mike Jones, Frederik Krogsdal Jacobsen, Chris
   Phillips, Joe DeCock, Roland Hedberg, John O’Leary, Filip Skokan, Pam
   Dingle, Łukasz Jaromin, Aaron Parecki, George Fletcher, Samuel Rinnetmäki,
   Stefan Santesson, Rachel O’Connell
   - John O’Leary is new to the group. He is interested in AuthZEN and is
   sitting in to get acquainted with OpenID specs and work in general.
   - Date and time of meeting: November 20th, 2025
   - Agenda: The agenda sent by Mike before the meeting was accepted with
   no changes.
   - Events:
      - W3C TPAC was last week. WebAuthn level 3 will probably be published
      soon. FedCM developed a bit. There is an idea there about putting
      unmodified Connect flows into FedCM.
      - OSW: Are there any updates about it? No.
      - TIIME will have an OpenID Federation workshop (
      https://tiime-unconference.eu/). They will host an interop event on
      their testbed during this. Time and location: February 9-13 2026,
      Amsterdam. Niels van Dijk reports that he is co-chairing the Federation
      Interop at TIIME with Davide Vaghetti from GARR
   - OpenID Federation
      - Almost ready for 1.0.
      - Almost all issues and PRs are now done.
      - Choice of trust anchors:
         - Stefan: Is there normative language that requires anyone to take
         action?
         - Mike: There is normative language defining the mechanism. The RP
         MAY choose at registration time to pass along the trust chains. It is
         optional for the RP to do so. The OP MAY ignore the trust chains.
         - Stefan: The main thing is that we don’t impose any requirements
         that someone trust someone else. Everyone should be able to
make their own
         trust decisions.
         - Mike: That is still the case. See
         https://openid.github.io/federation/main.html#section-4.4
         - Roland: The mechanism here is that the RP says: “I would like to
         use this trust anchor”. The OP is free to not do so if it
does not trust
         that anchor for some reason.
      - Mike: The editors now believe that it is time to start the 2 week
      working group last call to move Federation 1.0 to Final. Nobody
was opposed
      to this at the meeting.
      - Mike will try to fix any spelling and grammar errors etc. then
      start the working group last call on the new draft.
      - Issue 290:
         - https://github.com/openid/federation/issues/290
         - Mike: I am in favor of defining a small number of reasons for
         trust mark revocation in the spec, to mirror the historical
keys revocation
         reasons.
         - Stefan: In X509, this was over-engineered. I’m not aware of any
         good reasons to be too granular about this. It is unlikely to
be used a
         lot, so don’t put too much effort into defining too many reasons.
      - PR 289:
         - https://github.com/openid/federation/pull/289
         - Mike: This is a mix of good editorial changes and model changes.
         I have asked the author to remove the model changes.
      - Issue 288:
         - https://github.com/openid/federation/issues/288
         - There are multiple very long comments on the issue.
         - This was a very long discussion with many technical opinions.
         The notes below are a brief summary.
         - Mike: Can we have a unified client ID syntax model across OAuth
         and OpenID? No, because other specs have defined things in a
way that makes
         client ID prefixes not necessarily compatible. But Federation and VP
         actually happen to be compatible.
         - Łukasz: I don’t think it’s the right time to make this change
         now.
         - Pam: If we need two levels of discovery, we have a problem. How
         is an AS supposed to know what they’re using? We need to fix
the problem
         now if there is one. The issue is that the client ID needs to
be resolvable.
         - Mike: There is not a problem necessarily.
         - Stefan: Since the entity can also be resolved in other ways, I
         am not too scared. I am writing a draft with the missing
piece, which is a
         way to discover subordinate entity statements using a
top-down approach.
         - Łukasz: The tendency is that ecosystems decide in a
         non-machine-readable way. In the future, this will create
interoperability
         problems.
      - Native SSO for Mobile Apps
      - Mike: Vladimir requested a particular set of changes in an email
      title “Re: [Openid-specs-ab] Next steps for the Native SSO for
Mobile Apps
      specification” on November 11.
      - George: I did not see it yet, but I will respond to his email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20251120/5cb1e622/attachment.htm>

More information about the Openid-specs-ab mailing list