<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Spec Call Notes 18-Jun-20<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Tim Cappalli<o:p></o:p></p>
<p class="MsoNormal">Tom Jones<o:p></o:p></p>
<p class="MsoNormal">Brian Campbell<o:p></o:p></p>
<p class="MsoNormal">Bjorn Hjelm<o:p></o:p></p>
<p class="MsoNormal">Filip Skokan<o:p></o:p></p>
<p class="MsoNormal">Joseph Heenan<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">App2App Certification<o:p></o:p></p>
<p class="MsoNormal"> Described at <a href="https://openid.net/2019/10/21/guest-blog-implementing-app-to-app-authorisation-in-oauth2-openid-connect/">
https://openid.net/2019/10/21/guest-blog-implementing-app-to-app-authorisation-in-oauth2-openid-connect/</a><o:p></o:p></p>
<p class="MsoNormal"> Certification for App2App pattern with FAPI being launched<o:p></o:p></p>
<p class="MsoNormal"> Mainly for UK banking apps at present<o:p></o:p></p>
<p class="MsoNormal"> Joseph described that the app claims the authorization endpoint's URL<o:p></o:p></p>
<p class="MsoNormal"> OpenID Connect flows then open the local application<o:p></o:p></p>
<p class="MsoNormal"> For instance, could be used with FaceID<o:p></o:p></p>
<p class="MsoNormal"> Increases success rate<o:p></o:p></p>
<p class="MsoNormal"> Relevant in banking use cases where you are authorizing a payment<o:p></o:p></p>
<p class="MsoNormal"> This is the same pattern as the mobile applications BCP [RFC 8252]<o:p></o:p></p>
<p class="MsoNormal"> To certify, run your application on Web, iOS, and Android<o:p></o:p></p>
<p class="MsoNormal"> There are no new specs for this<o:p></o:p></p>
<p class="MsoNormal"> It just uses existing specs in a mobile context<o:p></o:p></p>
<p class="MsoNormal"> Joseph wants to know whether people have done this with pure OpenID Connect, rather than FAPI<o:p></o:p></p>
<p class="MsoNormal"> OpenID Connect implementations tend to use long-lived SSO sessions instead<o:p></o:p></p>
<p class="MsoNormal"> Joseph will be presenting on this at Identiverse and the OAuth Security Workshop<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://identiverse.com/detailed-agenda/#session=app2app-improving-the-third-party-authorization-user-experience-on-mobile">
https://identiverse.com/detailed-agenda/#session=app2app-improving-the-third-party-authorization-user-experience-on-mobile</a><o:p></o:p></p>
<p class="MsoNormal"> <a href="https://barcamptools.eu/oauth-security-workshop-2020/events/0d0423b6-5924-4e6f-8b3b-63edbbe0ae59#sessions">
https://barcamptools.eu/oauth-security-workshop-2020/events/0d0423b6-5924-4e6f-8b3b-63edbbe0ae59#sessions</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">OAuth JAR<o:p></o:p></p>
<p class="MsoNormal"> Nat sent the reply to Brock Allen<o:p></o:p></p>
<p class="MsoNormal"> Per issue #1171, Nat still needs to add require_signed_request_object<o:p></o:p></p>
<p class="MsoNormal"> Then he will ask area director Ben Kaduk to advance the spec<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Event Announcements<o:p></o:p></p>
<p class="MsoNormal"> Nat is organizing a virtual meeting for Self-Issued Identity Provider implementations<o:p></o:p></p>
<p class="MsoNormal"> Register at <a href="https://www.eventbrite.com/e/siop-virtual-meetup-tickets-109986695166">
https://www.eventbrite.com/e/siop-virtual-meetup-tickets-109986695166</a><o:p></o:p></p>
<p class="MsoNormal"> 7:00 AM – 9:00 AM Pacific Time June 25<o:p></o:p></p>
<p class="MsoNormal"> General admission is already sold out<o:p></o:p></p>
<p class="MsoNormal"> There are more slots for OIDF members<o:p></o:p></p>
<p class="MsoNormal"> OIDF members with general admission tickets are encouraged to cancel them and register as OIDF members<o:p></o:p></p>
<p class="MsoNormal"> OIDF is organizing an OpenID workshop during the virtual OAuth Security Workshop<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://barcamptools.eu/oauth-security-workshop-2020/events">
https://barcamptools.eu/oauth-security-workshop-2020/events</a><o:p></o:p></p>
<p class="MsoNormal"> This will be July 21<o:p></o:p></p>
<p class="MsoNormal"> Joseph will be talking about certification tools<o:p></o:p></p>
<p class="MsoNormal"> Nat may be talking about FAPI<o:p></o:p></p>
<p class="MsoNormal"> Contact Don Thibeau for details<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Certification<o:p></o:p></p>
<p class="MsoNormal"> The migration from the Python suite to the Java suite is in progress<o:p></o:p></p>
<p class="MsoNormal"> See <a href="https://openid.net/certification/migration/">
https://openid.net/certification/migration/</a><o:p></o:p></p>
<p class="MsoNormal"> We're encouraging new submissions to run both test suites now<o:p></o:p></p>
<p class="MsoNormal"> Even if you have an existing certification, please run both now to get a free new one!<o:p></o:p></p>
<p class="MsoNormal"> We're still missing OP logout tests and 3rd Party-Initiated login tests, but the rest are there<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Federation Interop<o:p></o:p></p>
<p class="MsoNormal"> Roland Hedberg ran a Federation interop last week<o:p></o:p></p>
<p class="MsoNormal"> There were three implementations participating<o:p></o:p></p>
<p class="MsoNormal"> Roland's, GÉANT, Connect2ID<o:p></o:p></p>
<p class="MsoNormal"> A report on the Interop will be sent to the working group<o:p></o:p></p>
<p class="MsoNormal"> Mike will be speaking about the Federation spec at Identiverse<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Issues<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open">
https://bitbucket.org/openid/connect/issues?status=new&status=open</a><o:p></o:p></p>
<p class="MsoNormal"> #1176 backchannel logout spec doesn't have requirement that 'sid` in id_token & logout_token match<o:p></o:p></p>
<p class="MsoNormal"> Mike to investigate and propose language<o:p></o:p></p>
<p class="MsoNormal"> #1174 Federation: 9.2.2.2.1. The OP Constructing the Response - Clarify which keys need to be preserved to facilitate roll-over<o:p></o:p></p>
<p class="MsoNormal"> Assigned to Roland<o:p></o:p></p>
<p class="MsoNormal"> #1175 Create a Separate Spec for Self-Issued Identifiers<o:p></o:p></p>
<p class="MsoNormal"> There's been discussion in the issue among Tom, Mike, and Tony<o:p></o:p></p>
<p class="MsoNormal"> Tom is asking about discovery and key rollover<o:p></o:p></p>
<p class="MsoNormal"> Tom is doing his implementation for IAL2 and AAL2 of NIST 800-63<o:p></o:p></p>
<p class="MsoNormal"> Mike asked Tom how he associates multiple keys with a subject<o:p></o:p></p>
<p class="MsoNormal"> Mike asked what normative requirements are needed to enable key rollover<o:p></o:p></p>
<p class="MsoNormal"> Tom said that this is related to the persistent ID issue #1081<o:p></o:p></p>
<p class="MsoNormal"> #1081 Need for a persistence user identifier - a PUID<o:p></o:p></p>
<p class="MsoNormal"> Mike asked whether "sub" isn't a persistent ID, at least when non self-issued<o:p></o:p></p>
<p class="MsoNormal"> If there was a persistent ID claim, one value of it could be a DID<o:p></o:p></p>
<p class="MsoNormal"> Tom is talking with Tobias Looker and Kyle Den Hartog about this<o:p></o:p></p>
<p class="MsoNormal"> People also asked for an ephemeral subject type in issue #1096<o:p></o:p></p>
<p class="MsoNormal"> Tom plans to write a proposal and link the three issues above together<o:p></o:p></p>
<p class="MsoNormal"> Tom will present about this at the virtual SIOP workshop<o:p></o:p></p>
<p class="MsoNormal"> #1167 Required certification behaviour for request and request_uri parameters<o:p></o:p></p>
<p class="MsoNormal"> Marked resolved, since this is done in the Java certification suite<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next Call<o:p></o:p></p>
<p class="MsoNormal"> The next working group call is Monday, June 22 at 4pm Pacific Time<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>