[Openid-specs-ab] OpenID AB/Connect WG Meeting Notes (2020-09-10)

Nat Sakimura nat at nat.consulting
Fri Sep 11 00:36:19 UTC 2020

OpenID AB/Connect WG Meeting Notes (2020-09-10)

Date & Time: 2020-09-10 14:00 UTC Location:


   - 1.   Roll Call
   - 2.   Adoption of Agenda (Nat)
   - 3.   External organizations
      - 3.1.   W3C Incuberter community group and privacy community group
      - 3.2.   DIF (Kristina/Markus)
   - 4.   Events
      - 4.1.   SC27 (Nat)
      - 4.2.   FDX Dev Con (Nat)
   - 5.   Drafts
      - 5.1.   OpenID Self Issued Identifiers (Tom)
   - 6.   Issues
      - 6.1.   1182 Add logout_hint parameter to RP-Initiated Logout
      request (Mike)
   - 7.   AOB

The meeting was called to order at 14:00 UTC.
1.   Roll Call

   - Attending: Nat, Filip, Tom, Markus, Kristina, George, John, Torsten,
   Kim, Joseph
   - Regrets:
   - Guest:

2.   Adoption of Agenda (Nat)

   - As agenda was not circulated before the call, it was dynamically
   created and agreed.

3.   External organizations
3.1.   W3C Incuberter community group and privacy community group (George)

George introduced his concern around WebID proposal that was made to W3C
incubator community group as follows:

Google has officially contributed, their web ID proposal into the W3C
incubator community group. At a high level, the browsers want to
intermediate identity flows and they want to intermediate identity flows
because they want to be able to separate identity flows from ad tracking

There's also sort of an underlying aspect in the sense of privacy where
browsers want to be able to show the user, all the places you're logged in
and be able to do things like,

"Hey, You haven't visited CNN dot com, you know, for the last eight days,
but you're currently logged in, you want to stay logged in?" and then if
the user says no, they wipe cookies.

There are all sorts of implications if they wipe all the cookies
effectively, including the trust cookies that tell us that this is a
trusted browser where George has logged in for two hours logged in from
before. This basically turns it into an untrusted browser, which may mean
you have to do an extra challenge. And if these things get wiped every
seven days, the user experience for login across the web goes down.

There is another concern: Web ID is really looking at this largely from the
use by individual users, surfing the web, not from enterprise use cases or
academic federation use cases or even large organizations that use
standards for the first-party authentication across their properties.

This is going to affect all parties that use OpenID and SAML.

Thus, we need more identity people in the in, and that's in the incubator
community group to feed and add use cases and help people define.

To do so, a lot of us need to join the community group. They work through
biweekly calls and GitHub issues.

   - https://github.com/privacycg
   - https://github.com/WICG/WebID

Nat asked the callers to join the group and start feeding use-cases, etc.
3.2.   DIF (Kristina/Markus)

Kristina and Markus reported that not much is happening in terms of
DID=SIOP as it is supposed to be moved here.

Torsten asked if the most current spec has the claims handling capability
as the version that Pam sent did not. Kristina replied that it is under
discussion but not yet.
4.   Events
4.1.   SC27 (Nat)

Starting this Saturday for a week. There is an opportunity to report our
activity to them. If there is a specific item that you want to draw their
attention, please inform Tony Nadalin, the OIDF to SC27/WG5 Liaison officer
and Nat.
4.2.   FDX Dev Con (Nat)

22nd and 23rd. Nat is going to make a keynote presentation. Some
announcement around OpenID is expected in the meeting.
5.   Drafts
5.1.   OpenID Self Issued Identifiers (Tom)

Tom told the group that he is not getting any feedback and asked why.

Nat and John told Tom that it is partly due to him not sending the copy of
the document to the list and thus WG cannot comment on it due to IPR

He previously sent the link to his document[1] on Aug. 27 but as Mike
Jones, the secretary, pointed out in the last meeting, it does not work
from the IPR PoV as the content may change at any time.


Tom promised to send the copy to the list.

Markus told Tom that if it is needed to be taken up on the DIF side, it can
be done as he is a co-chair there.
6.   Issues
6.1.   1182 Add logout_hint parameter to RP-Initiated Logout request (Mike)


The issue was discussed over 30 minutes but has not come to a consensus.
The main topic was whether to include client_id in the request parameter so
that the error can be returned to RP so that RP can take appropriate action.

Mike Jones opposed the idea that adding a parameter will increase the
number of combinations of possible parameters and will likely get less
support from OPs but Filip and George were not convinced.

Filip also proposed a text in the issue that will be backwards compatible
and yet allows the response to be returned to the RP.

John proposed a solution that requires the prompting and Filip told that it
does not help him to load up the client and verify.

As it was approaching the end of the call, Nat intervened and asked to take
the discussion either offline and report back to the WG or continue next
7.   AOB


The meeting was adjourned at 15:00 UTC

Nat Sakimura
NAT.Consulting LLC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200911/ce27cc37/attachment-0001.html>

More information about the Openid-specs-ab mailing list