[Openid-specs-ab] Spec Call Notes 12-Sep-19

Mike Jones Michael.Jones at microsoft.com
Thu Sep 12 15:54:06 UTC 2019

Spec Call Notes 12-Sep-19

Nat Sakimura
Bjorn Hjelm
Mike Jones
Brian Campbell
George Fletcher
Bart Geesink - SURFnet
Marcos Sanz - de.nic - Works with Torsten
Torsten Lodderstedt
Hans Zandbelt
Roland Hedberg

OpenID Connect for Identity Proofing
              Torsten asked if it was time for progression to Implementer's Draft status
              We reviewed the identity proofing issues at https://bitbucket.org/openid/connect/issues?status=new&status=open&component=Assurance
              #1107: List other laws or trust services in the introduction
                           Editorial - request from OIDF Japan
              #1106: Link between Evidence and Claims
                           An extension to the syntax
              #1105: Support multiple verified_claims elements
                           Could be done in a non-breaking fashion later (Torsten and Marcos)
              #1100: Analyse ISO 29003
                           Torsten had a look at the doc, which Tony provided
                           Torsten doesn't know what specific changes to make
                           Perhaps Tony and Torsten can go over this together at IIW
              #1098: Add verification_score
                           Suggestion by Adam Cooper - the conversation appears to have gone silent
                           Would not be a breaking change
              #1097: Include Legal Persons
                           We agreed to address this post Implementer's Draft
              #1094: How to treat unknown identifiers in claims parameter
                           Mike added a reference to the JWS "crit" header parameter
              #1093: Extensibility: how do we support extensibility for trust frameworks, evidence types, verification methods and id documents?
                           We can use Discovery metadata to query for supported features
              #1088: register new claims in OAuth Token Introspection Response Registry
                           This can happen when the document is approved
              #1078: Identity Assurance - Incorporate EU/EC KYC Token work
                           A placeholder to talk to the EC
                           Nat will make the connections
              #1077: Identity Assurance - Need Input from other Jurisdictions
                           Ongoing work
                           Hope for feedback from Australia and Africa
              #1069: Identity Assurance Section 5.1 on reason for request
                           There is now a purpose mechanism that satisfies this need
                           Torsten will propose to close this issue on this basis
              #1068: Follow ISO rules (ISO Directive Part 2 and global relevance documents) on the drafting
                           Nat will do a review on this basis
              We decided that it is time for an Implementer's Draft vote
                           If there are no objections within a week, we'll start the Implementer's Draft review process

SURFnet OpenID Connect Proxy Certification Issues
              Bart explained that the SURFnet proxy to SAML IdPs passes policy to the upstream IdPs
              They always return an error from prompt=none because they don't know if the user is logged in or not
              They always reauthenticate in the max_age=10000 test
              Both of these are causing certification failures because they are not behaving in the expected fashion
              Hans expressed the opinion that requiring establishing a session is a strong requirement
              George said that the tests for session state are useful
              Torsten said that financial institutions are reluctant to use single-sign-on
              Mike said that prompt=none and max_age were put in the spec to improve usability
                           The spec explicitly requires OPs to support prompt=none
                           All existing certified OPs support sessions for this reason
              At most, we should make failing these tests a warning - we shouldn't remove the tests
              Torsten, Hans, and George are in favor of being able to test implementations that don't establish sessions
              George talked about adding explicit support for session-less IdPs
                           This is a longer-term possible deliverable
                           A session-less IdP implies different user-visible behaviors
              We will discuss this more on the call in two weeks

Login with Apple
              Apple has fixed the spec violations that we pointed out
                           They have not created a Discovery endpoint
              Hans created a PR to updating our Apple status page that needs to be merged
              Don Thibeau is working on public communication

              Pre-IIW Workshop
                           George will be talking about proposed browser changes and their possible impacts on OpenID Connect
                           George is concerned about the "is-the-user-logged-in" proposal
              FDX Developer Workshop
                           Don Thibeau gave a presentation on the Foundation and Certification
                           Bjorn gave a presentation about CIBA

              Nat is waiting for a pull request from Torsten

Open Issues
              We only covered the Identity Assurance issues

Next Call
              The next call is Monday, September 16 at 4pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190912/d3561e77/attachment-0001.html>

More information about the Openid-specs-ab mailing list