<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Spec Call Notes 14-Mar-19<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Brian Campbell<o:p></o:p></p>
<p class="MsoNormal">George Fletcher<o:p></o:p></p>
<p class="MsoNormal">Tom Jones<o:p></o:p></p>
<p class="MsoNormal">Torsten Lodderstedt<o:p></o:p></p>
<p class="MsoNormal">Bjorn Hjelm<o:p></o:p></p>
<p class="MsoNormal">Nat Sakimura<o:p></o:p></p>
<p class="MsoNormal">Rich Levinson<o:p></o:p></p>
<p class="MsoNormal">Filip Skokan<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Native SSO Draft<o:p></o:p></p>
<p class="MsoNormal"> George has gotten feedback from Torsten and Edmund and Filip on the Native SSO Draft<o:p></o:p></p>
<p class="MsoNormal"> Nat checked it into GitHub and sent a note to the working group about it<o:p></o:p></p>
<p class="MsoNormal"> After George incorporates feedback, Mike will publish a working group draft<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">prompt=create Draft<o:p></o:p></p>
<p class="MsoNormal"> George also received some feedback on that draft<o:p></o:p></p>
<p class="MsoNormal"> There hasn't yet been a decision whether to make this a working group document or not<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">OpenID Connect for Identity Proofing (draft mechanics)<o:p></o:p></p>
<p class="MsoNormal"> Torsten migrated his draft from PDF to Markdown and checked it into our bitbucket repository<o:p></o:p></p>
<p class="MsoNormal"> https://bitbucket.org/openid/connect/src/default/openid-connect-4-identity-assurance/<o:p></o:p></p>
<p class="MsoNormal"> Build with "mmark -2 main.md > ./openid-connect-4-identity-assurance.xml" and then xml2rfc<o:p></o:p></p>
<p class="MsoNormal"> Torsten published the html to https://openid.net/wordpress-content/uploads/2019/03/openid-connect-4-identity-assurance-00.html<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Document Source Control<o:p></o:p></p>
<p class="MsoNormal"> We had a discussion on specification source control and archiving<o:p></o:p></p>
<p class="MsoNormal"> Torsten's source uses multiple .md files<o:p></o:p></p>
<p class="MsoNormal"> Mike and Torsten discussed the need to have a consistent archival copy of sources for all working group drafts<o:p></o:p></p>
<p class="MsoNormal"> Having a consistent snapshot is harder when there's more than one source file<o:p></o:p></p>
<p class="MsoNormal"> For now, Torsten will produce a .zip file with all sources and outputs and then Mike will publish the working group document<o:p></o:p></p>
<p class="MsoNormal"> We will continue discussing this in Stuttgart and Prague<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> Bjorn pointed out that some of the institutional knowledge of how OpenID specs are published needs to be documented<o:p></o:p></p>
<p class="MsoNormal"> This will help all working group chairs and editors<o:p></o:p></p>
<p class="MsoNormal"> Mike agreed to work on this<o:p></o:p></p>
<p class="MsoNormal"> For instance:<o:p></o:p></p>
<p class="MsoNormal"> A permanent archive of sources and outputs for working group specifications is needed<o:p></o:p></p>
<p class="MsoNormal"> The archive is independent of the source control system that editors may use - as these come and go<o:p></o:p></p>
<p class="MsoNormal"> Specifications for foundation-wide review are always published at openid.net/specs/.<o:p></o:p></p>
<p class="MsoNormal"> Some working groups also publish all major revisions there<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">OpenID Connect for Identity Proofing (content)<o:p></o:p></p>
<p class="MsoNormal"> Tom started a discussion about meeting legal requirements for identity proofing<o:p></o:p></p>
<p class="MsoNormal"> Torsten had responded to this on the list<o:p></o:p></p>
<p class="MsoNormal"> There are many legal jurisdictions around the world with different requirements<o:p></o:p></p>
<p class="MsoNormal"> We want to create specifications that can be applied worldwide<o:p></o:p></p>
<p class="MsoNormal"> None of us on the call are lawyers, so we're not qualified to make legal judgements<o:p></o:p></p>
<p class="MsoNormal"> Torsten stated that he created a representation of identity assurance data<o:p></o:p></p>
<p class="MsoNormal"> Torsten stated that it's up to implementers to comply with applicable laws<o:p></o:p></p>
<p class="MsoNormal"> Tom suggested that we add a privacy considerations section to the document<o:p></o:p></p>
<p class="MsoNormal"> George: We're not requiring that particular information be exchanged<o:p></o:p></p>
<p class="MsoNormal"> Mike: We're defining syntax - not policy<o:p></o:p></p>
<p class="MsoNormal"> Mike: In this sense, the document is neutral, just like OpenID Connect is<o:p></o:p></p>
<p class="MsoNormal"> Nat: It's up to implementing entities to ensure that they're in compliance - not us<o:p></o:p></p>
<p class="MsoNormal"> Nat: There are other kinds of legal basis than consent, but sometimes consent applies<o:p></o:p></p>
<p class="MsoNormal"> George: We are not trying to define business processes or legal processes in the specification<o:p></o:p></p>
<p class="MsoNormal"> Nat: Implementing entities must identify their applicable legal requirements and comply with them<o:p></o:p></p>
<p class="MsoNormal"> Mike: This is true of all identity specifications - not just this one<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next Call<o:p></o:p></p>
<p class="MsoNormal"> Monday, March 18 at 4pm Pacific Time<o:p></o:p></p>
<p class="MsoNormal"> However this may be problematic for people travelling to the OAuth Security Workshop in Prague<o:p></o:p></p>
<p class="MsoNormal"> We should discuss whether to have this call on the mailing list<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>