[Openid-specs-ab] Draft Connect WG Meeting Notes for 2025-09-15

Tue Sep 16 19:41:53 UTC 2025

Dear AB/Connect WG:
Below is the meeting notes from 2025-09-15 Pacific meeting. Wiki version
can be found at
https://bitbucket.org/openid/connect/wiki/Connect_Meeting_Notes_2025-09-15_Pacific

Please let me know if something needs to be fixed.

Connect WG Meeting Notes

   - *Date:* 2025-09-15
   - *Time:* 22:58-23:28 UTC
   - *Chair:* Nat Sakimura

Attendees

   - Nat Sakimura (Chair)
   - Andrii Deinega
   - Naveen CM
   - Bjorn Hjelm
   - Michael Fraser
   - Aaron Parecki

Meeting Opening

   - Standard OpenID Foundation antitrust and IPR policy acknowledgements
   were reviewed
   - Nat noted this is SC27 week and there was a memorial service for
   Andrew Nash from which Mike Jones is traveling home and contacted regarding
   absence

Ongoing and Upcoming Events

   - *ISO/IEC JTC 1/SC 27:* On Information security, cybersecurity and
   privacy protection
   - *ISO/IEC JTC 1/SC 44:* On Consumer protection in the field of privacy
   by design
   - *IIW (Identity Identity Workshop):* OpenID Foundation workshop on
   Monday before the main event
   - *OpenID Foundation Board Meeting:* Thursday/Friday during IIW (offsite)
   - *Authenticate Conference:* Week prior to IIW
   - *IETF Meeting:* Two weeks after IIW
   - *Web Conference Lisbon:* One week after IETF

Key Discussion Items1. OpenID Connect Key Binding Specification

   - *Status Update:* Mike Jones sent out call for adoption for new draft
   specification just before the meeting
   - *Next Steps:* Discussion to continue on mailing list
   - *Current State:* Mixed arguments but no substantial opposition observed

2. Pull Request - CryptoJS Removal (Andrii Deinega)

   - *PR Link:*
   https://bitbucket.org/openid/connect/pull-requests/753?link_source=email
   - *Description:* Minor PR to remove dependency on CryptoJS library
   - *Rationale:* CryptoJS is discontinued; modern JavaScript provides
   native cryptographic capabilities
   - *Status:* Mike Jones approved weeks ago; seeking additional approvals
   for Thursday call merge
   - *Impact:* Very minor change, can wait if needed

3. Session Quota Management Proposal (Andrii Deinega)

   - *Issue Link:*
   https://bitbucket.org/openid/connect/issues/2184/openid-connect-and-user-session-quotas-at
   - *Background:* Previously discussed but deprioritized due to other
   urgent topics
   - *Core Concept:*
      - Allow RPs to specify session quota requirements in authorization
      requests
      - Enable OPs to manage and enforce session limits (e.g., max 1-2
      sessions per user)
      - Provide flexibility for OPs to implement policies and user choices
      when quotas are reached
   - *Benefits:*
      - Simplifies RP implementation by moving session management logic to
      OP
      - Eliminates need for RPs to store user session information
      - Provides more flexibility in quota enforcement policies
   - *Use Case:* Financial institutions requiring single-device sessions
   for security
   - *Feedback Requested:* Working group input on proposal viability
   - *Action:* Continue discussion in the GitHub issue

4. OpenID Federation Issues (Michael Fraser)

Three issues raised for working group attention:
Issue #246

   - *Link:* https://github.com/openid/federation/issues/246
   - *Topic:* Entity statement claim restrictions
   - *Concern:* Current specification is overly permissive, allowing claims
   that should never have policies (e.g., client_secret)
   - *Request:* Discussion on whether certain claims should be explicitly
   banned

Issue #247

   - *Link:* https://github.com/openid/federation/issues/247
   - *Topic:* Trust marks text clarification
   - *Status:* Pull request in progress for text improvements

Issue #249

   - *Link:* https://github.com/openid/federation/issues/249
   - *Topic:* Trust mark status endpoint error handling
   - *Problem:* No guidance for handling trust marks sent to non-issuing
   parties
   - *Discussion:* Two approaches proposed:
      - Follow introspection pattern (return active: false for unknown
      tokens)
      - Define specific error codes for unknown trust marks
   - *Participants:* Discussion ongoing with Gabrielle Zachman
   - *Request:* Working group input on preferred approach

Administrative Notes

   - *Certification Team Update:* Gail requested an update on the
   Federation spec finalisation timeline, but no certification team members
   were present

Action Items

   1. *All:* Continue OpenID Connect key binding specification discussion
   on mailing list
   2. *Working Group:* Review and provide feedback on Andrii's session
   quota management proposal (Issue #2184
   <https://bitbucket.org/openid/connect/issues/2184/openid-connect-and-user-session-quotas-at>
   )
   3. *Working Group:* Review Michael's three OpenID Federation issues (#246,
   #247, #249) and provide input
   4. *Nat:* Schedule follow-up discussion with Bjorn regarding SC27 topics
   5. *Working Group:* Continue discussions in respective GitHub issues
   rather than requiring meeting time

Next Meeting

   - Standard weekly schedule continues
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250917/e3696f1c/attachment-0001.htm>