[Openid-specs-ab] Spec Call Notes 27-Aug-20

Mike Jones Michael.Jones at microsoft.com
Thu Aug 27 18:14:03 UTC 2020


Spec Call Notes 27-Aug-20

Brian Campbell
Tim Cappalli
Mike Jones
Oliver Terbu
Tom Jones
Kristina Yasuda
George Fletcher
Markus Sabadello
Bjorn Hjelm
Joseph Heenan
John Bradley

logout_hint Proposal
              Issue #1182 - Add logout_hint parameter to RP-Initiated Logout request
              https://bitbucket.org/openid/connect/issues/1182/add-logout_hint-parameter-to-rp-initiated
              Mike gave background in the issue
              George observed that the login_hint is truly a hint, whereas logout_hint might not be
              Mike reminded people that OPs are expected to ask the user if they really want to log out
              Mike reminded people that it's legal to request a logout without any user selection parameters
              George doesn't see much danger in adding additional user selection parameters if there's user interaction involved
              Mike thinks that adding logout_hint and sid parameters would be fine session selection inputs
              Post-logout redirection should only happen to RPs that have recently been logged in
                           and to registered post_logout_redirect_uri values
              Mike said that client_id doesn't help for user selection, whereas sid does
              John said that we haven't said that sids can't be specific to particular client_ids
                           Mike said we're already requiring them to be unique within the OP in Backchannel Logout
                           John said we should say that elsewhere where relevant
              Mike will add the sense of the discussion on this call to the issue

Aggregated Claims Draft
              The adopted draft hasn't been posted yet

OpenID Virtual Workshop, Monday, October 19th
              It will be prior to the virtual IIW
              Topics scheduled include working group, federation, and certification updates
              The group thought that we should add a SIOP update to the agenda

Certification
              We are on track to decommission the Python-based testing suite at end of the month
              We've sent notices about this to mailing lists and those who have certified in the past
              We notified them that they need to wrap up their testing with it and move to the Java-based suite
              We will take the new suite out of pilot mode in September, after the old one is decommissioned
                           At that point, we will resume charging for Connect certifications
              Joseph said that we've gotten a bunch of certification requests using the new suite in the past two weeks
              We have certifications for all the certification profiles except for RP Config, RP Dynamic, RP Form Post, and RP Back-Channel Logout
                           Mike will ping Roland about trying those

Introductions
              Markus Sabadello
                           Danube Tech in Vienna, Austria
                           Worked on OpenID for a long time, including early OpenID 2.0 implementations
                           Active in self-sovereign identity
                                         An editor of the DID core spec in W3C
                           A fan of Oliver's SIOP work
              Oliver Terbu
                           At Consensys in Germany
                           Active in self-sovereign identity
                           Active in Decentralized Identity Foundation (DIF)
                                         A chair of DID Auth WG in DIF
                           Here because this group is working on SIOP again
                           Has proposed modifications to help use SIOP in a more efficient way

SIOP
              Mike summarized some of the discussions from the previous call for the new participants
                           We could introduce a level of indirection, like we used to have with XRDS
                           The indirection value could be a stable "sub" identifier for the RP to use
                           Indirection would enable key rollover
                           Tobias Looker had proposed using a URI as the "sub" value
                                         This URI could be a DID
                                         It could be a URL for an OpenID Federation Entity Statement
                           We can differentiate between existing sub values and new ones because URIs have a colon in them
              Tom and Tobias are working on a proposal
              https://github.com/KantaraInitiative/DistributedAssurance/blob/master/OpenID%20Self%20Issued%20Identifier.md
                           Section 5.2 talks about Subject Identifiers
              Oliver: DIF proposal currently uses a different claim than "sub" for the DID
              Oliver: Thinks that Tobias' motivation was primarily token issuance, rather than the ID Token
              Oliver plans to write a document and share it with the working group to discuss on a future call
              George observed that Tom has a use case that requires a persistent identifier for the user
                           George thinks that that would be better as a unique claim
              Tom said that in healthcare, there won't be a single identifier ever
                           You have to go through a medical record locator process
                           Each health identifier exchange uses a different identifier for the person
                           In healthcare, we have to assume that we'll never have a single identifier for the person
              George said that it's up to the deployment what kinds of subject identifiers to use
              Tom discussed redirection methods
                           If we have the level of indirection, we could specify redirection methods other than openid:// in the discovery document
              George asked if we want to just break the "sub" value and require it to be a URI
                           John suggested that we could define a URI value to encode the JWK Thumbprint
                           Tobias had suggested the same thing in a different call
              We should determine how much deployment there is of the existing SIOP specification
                           Mike believes that there may be deployments in Japan
                           John believes that Nat knows about this
                           George pointed out that having prototypes is quite different from having production deployments at scale
              Tobias has the OpenID Connect Credential Provider document
              Tom asked others in the DID community to look at his document
              Tom asked if a next step was for the working group to adopt his document
                           (We ran out of time and didn't discuss that question)

Open Issues
              https://bitbucket.org/openid/connect/issues?status=new&status=open
              (We ran out of time so no additional open issues were discussed)

Next Call
              The next working group call is Monday, August 31 at 4pm Pacific Time
                           This is the call primarily devoted to SIOP issues
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200827/9501e9f4/attachment-0001.html>


More information about the Openid-specs-ab mailing list