<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Spec Call Notes 12-Sep-19<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Nat Sakimura<o:p></o:p></p>
<p class="MsoNormal">Bjorn Hjelm<o:p></o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Brian Campbell<o:p></o:p></p>
<p class="MsoNormal">George Fletcher<o:p></o:p></p>
<p class="MsoNormal">Bart Geesink - SURFnet<o:p></o:p></p>
<p class="MsoNormal">Marcos Sanz - de.nic - Works with Torsten <o:p></o:p></p>
<p class="MsoNormal">Torsten Lodderstedt<o:p></o:p></p>
<p class="MsoNormal">Hans Zandbelt<o:p></o:p></p>
<p class="MsoNormal">Roland Hedberg<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">OpenID Connect for Identity Proofing<o:p></o:p></p>
<p class="MsoNormal"> Torsten asked if it was time for progression to Implementer's Draft status<o:p></o:p></p>
<p class="MsoNormal"> We reviewed the identity proofing issues at https://bitbucket.org/openid/connect/issues?status=new&status=open&component=Assurance<o:p></o:p></p>
<p class="MsoNormal"> #1107: List other laws or trust services in the introduction<o:p></o:p></p>
<p class="MsoNormal"> Editorial - request from OIDF Japan<o:p></o:p></p>
<p class="MsoNormal"> #1106: Link between Evidence and Claims<o:p></o:p></p>
<p class="MsoNormal"> An extension to the syntax<o:p></o:p></p>
<p class="MsoNormal"> #1105: Support multiple verified_claims elements<o:p></o:p></p>
<p class="MsoNormal"> Could be done in a non-breaking fashion later (Torsten and Marcos)<o:p></o:p></p>
<p class="MsoNormal"> #1100: Analyse ISO 29003<o:p></o:p></p>
<p class="MsoNormal"> Torsten had a look at the doc, which Tony provided<o:p></o:p></p>
<p class="MsoNormal"> Torsten doesn't know what specific changes to make<o:p></o:p></p>
<p class="MsoNormal"> Perhaps Tony and Torsten can go over this together at IIW<o:p></o:p></p>
<p class="MsoNormal"> #1098: Add verification_score<o:p></o:p></p>
<p class="MsoNormal"> Suggestion by Adam Cooper - the conversation appears to have gone silent<o:p></o:p></p>
<p class="MsoNormal"> Would not be a breaking change<o:p></o:p></p>
<p class="MsoNormal"> #1097: Include Legal Persons<o:p></o:p></p>
<p class="MsoNormal"> We agreed to address this post Implementer's Draft<o:p></o:p></p>
<p class="MsoNormal"> #1094: How to treat unknown identifiers in claims parameter<o:p></o:p></p>
<p class="MsoNormal"> Mike added a reference to the JWS "crit" header parameter<o:p></o:p></p>
<p class="MsoNormal"> #1093: Extensibility: how do we support extensibility for trust frameworks, evidence types, verification methods and id documents?<o:p></o:p></p>
<p class="MsoNormal"> We can use Discovery metadata to query for supported features<o:p></o:p></p>
<p class="MsoNormal"> #1088: register new claims in OAuth Token Introspection Response Registry<o:p></o:p></p>
<p class="MsoNormal"> This can happen when the document is approved<o:p></o:p></p>
<p class="MsoNormal"> #1078: Identity Assurance - Incorporate EU/EC KYC Token work<o:p></o:p></p>
<p class="MsoNormal"> A placeholder to talk to the EC<o:p></o:p></p>
<p class="MsoNormal"> Nat will make the connections<o:p></o:p></p>
<p class="MsoNormal"> #1077: Identity Assurance - Need Input from other Jurisdictions<o:p></o:p></p>
<p class="MsoNormal"> Ongoing work<o:p></o:p></p>
<p class="MsoNormal"> Hope for feedback from Australia and Africa<o:p></o:p></p>
<p class="MsoNormal"> #1069: Identity Assurance Section 5.1 on reason for request<o:p></o:p></p>
<p class="MsoNormal"> There is now a purpose mechanism that satisfies this need<o:p></o:p></p>
<p class="MsoNormal"> Torsten will propose to close this issue on this basis<o:p></o:p></p>
<p class="MsoNormal"> #1068: Follow ISO rules (ISO Directive Part 2 and global relevance documents) on the drafting<o:p></o:p></p>
<p class="MsoNormal"> Nat will do a review on this basis<o:p></o:p></p>
<p class="MsoNormal"> We decided that it is time for an Implementer's Draft vote<o:p></o:p></p>
<p class="MsoNormal"> If there are no objections within a week, we'll start the Implementer's Draft review process<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">SURFnet OpenID Connect Proxy Certification Issues<o:p></o:p></p>
<p class="MsoNormal"> Bart explained that the SURFnet proxy to SAML IdPs passes policy to the upstream IdPs<o:p></o:p></p>
<p class="MsoNormal"> They always return an error from prompt=none because they don't know if the user is logged in or not<o:p></o:p></p>
<p class="MsoNormal"> They always reauthenticate in the max_age=10000 test<o:p></o:p></p>
<p class="MsoNormal"> https://github.com/openid-certification/oidctest/issues/184<o:p></o:p></p>
<p class="MsoNormal"> Both of these are causing certification failures because they are not behaving in the expected fashion<o:p></o:p></p>
<p class="MsoNormal"> Hans expressed the opinion that requiring establishing a session is a strong requirement<o:p></o:p></p>
<p class="MsoNormal"> George said that the tests for session state are useful<o:p></o:p></p>
<p class="MsoNormal"> Torsten said that financial institutions are reluctant to use single-sign-on<o:p></o:p></p>
<p class="MsoNormal"> Mike said that prompt=none and max_age were put in the spec to improve usability<o:p></o:p></p>
<p class="MsoNormal"> The spec explicitly requires OPs to support prompt=none<o:p></o:p></p>
<p class="MsoNormal"> All existing certified OPs support sessions for this reason<o:p></o:p></p>
<p class="MsoNormal"> At most, we should make failing these tests a warning - we shouldn't remove the tests<o:p></o:p></p>
<p class="MsoNormal"> Torsten, Hans, and George are in favor of being able to test implementations that don't establish sessions<o:p></o:p></p>
<p class="MsoNormal"> George talked about adding explicit support for session-less IdPs<o:p></o:p></p>
<p class="MsoNormal"> This is a longer-term possible deliverable<o:p></o:p></p>
<p class="MsoNormal"> A session-less IdP implies different user-visible behaviors<o:p></o:p></p>
<p class="MsoNormal"> We will discuss this more on the call in two weeks<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Login with Apple<o:p></o:p></p>
<p class="MsoNormal"> Apple has fixed the spec violations that we pointed out<o:p></o:p></p>
<p class="MsoNormal"> They have not created a Discovery endpoint<o:p></o:p></p>
<p class="MsoNormal"> Hans created a PR to updating our Apple status page that needs to be merged<o:p></o:p></p>
<p class="MsoNormal"> Don Thibeau is working on public communication<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Events<o:p></o:p></p>
<p class="MsoNormal"> Pre-IIW Workshop<o:p></o:p></p>
<p class="MsoNormal"> https://openid.net/2019/08/09/registration-open-for-openid-foundation-workshop-at-verizon-media-on-monday-september-30-2019/<o:p></o:p></p>
<p class="MsoNormal"> George will be talking about proposed browser changes and their possible impacts on OpenID Connect<o:p></o:p></p>
<p class="MsoNormal"> TPAC<o:p></o:p></p>
<p class="MsoNormal"> George is concerned about the "is-the-user-logged-in" proposal<o:p></o:p></p>
<p class="MsoNormal"> https://lists.w3.org/Archives/Public/public-webappsec/2019Sep/0004.html<o:p></o:p></p>
<p class="MsoNormal"> FDX Developer Workshop<o:p></o:p></p>
<p class="MsoNormal"> Don Thibeau gave a presentation on the Foundation and Certification<o:p></o:p></p>
<p class="MsoNormal"> Bjorn gave a presentation about CIBA<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">OAuth JAR<o:p></o:p></p>
<p class="MsoNormal"> Nat is waiting for a pull request from Torsten<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Issues<o:p></o:p></p>
<p class="MsoNormal"> https://bitbucket.org/openid/connect/issues?status=new&status=open<o:p></o:p></p>
<p class="MsoNormal"> We only covered the Identity Assurance issues<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next Call<o:p></o:p></p>
<p class="MsoNormal"> The next call is Monday, September 16 at 4pm Pacific Time<o:p></o:p></p>
</div>
</body>
</html>