<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Spec Call Notes 17-Aug-20<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Nat Sakimura<o:p></o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Tom Jones<o:p></o:p></p>
<p class="MsoNormal">Kristina Yasuda<o:p></o:p></p>
<p class="MsoNormal">Edmund Jay<o:p></o:p></p>
<p class="MsoNormal">Bjorn Hjelm<o:p></o:p></p>
<p class="MsoNormal">John Bradley<o:p></o:p></p>
<p class="MsoNormal">Tobias Looker<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">OAuth JAR<o:p></o:p></p>
<p class="MsoNormal"> Mike is continuing to work on a PR addressing IESG and WG comments<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Aggregated Claims Draft<o:p></o:p></p>
<p class="MsoNormal"> Edmund will check this into the Connect repositories and Mike will publish a working group draft<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tom's Draft<o:p></o:p></p>
<p class="MsoNormal"><a href="https://github.com/KantaraInitiative/DistributedAssurance/blob/master/OpenID%20Self%20Issued%20Identifier.md">https://github.com/KantaraInitiative/DistributedAssurance/blob/master/OpenID%20Self%20Issued%20Identifier.md</a><o:p></o:p></p>
<p class="MsoNormal"> Tom is asking Tobias for feedback on his draft<o:p></o:p></p>
<p class="MsoNormal"> He received from feedback from Markus Sabadello on recovery that he is incorporating<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">DIF/OpenID Liaison Relationship<o:p></o:p></p>
<p class="MsoNormal"> Kristina reported that there was a meeting about this at DIF and that people were enthusiastic<o:p></o:p></p>
<p class="MsoNormal"> DIF needs to send a signed liaison agreement to the OIDF<o:p></o:p></p>
<p class="MsoNormal"> Balázs Némethi reached out to Don with some questions, which Mike and Nat answered<o:p></o:p></p>
<p class="MsoNormal"> Kristina has volunteered to be the liaison officer between the two organizations<o:p></o:p></p>
<p class="MsoNormal"> We should confirm that at the next executive committee call<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Other External Organizations<o:p></o:p></p>
<p class="MsoNormal"> Nat suggested that some of the W3C community groups and WGs might also be pertinent<o:p></o:p></p>
<p class="MsoNormal"> For instance, the DID WG is pertinent<o:p></o:p></p>
<p class="MsoNormal"> Mike reported that they're working towards having a Candidate Recommendation<o:p></o:p></p>
<p class="MsoNormal"> Mike is already serving as an informal information exchange conduit<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">External Related Specs<o:p></o:p></p>
<p class="MsoNormal"> ISO 24760 Basic Identity Management spec<o:p></o:p></p>
<p class="MsoNormal"> ISO 29115 Entity Authentication Assurance<o:p></o:p></p>
<p class="MsoNormal"> ISO 29003 Identity Proofing<o:p></o:p></p>
<p class="MsoNormal"> The US is working on NIST 800-63-4<o:p></o:p></p>
<p class="MsoNormal"> It's open for comments now<o:p></o:p></p>
<p class="MsoNormal"> Tom commented that 800-63-2 certifications aren't valid for 800-63-3 in healthcare<o:p></o:p></p>
<p class="MsoNormal"> EIDAS<o:p></o:p></p>
<p class="MsoNormal"> John said that EU is looking for feedback on EIDAS<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Nat is running a panel on identity at a blockchain business conference next week<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://www.bg2c.net/en_index.html">https://www.bg2c.net/en_index.html</a><o:p></o:p></p>
<p class="MsoNormal"> [BG2C Prep-Meeting]Blockchain and Identity<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Aggregated Claims Spec<o:p></o:p></p>
<p class="MsoNormal"> Nat described it as constraining the response from the resource server<o:p></o:p></p>
<p class="MsoNormal"> Like a UserInfo Endpoint V2<o:p></o:p></p>
<p class="MsoNormal"> At Identiverse, George Fletcher talked about the possibility of getting a constrained/downscoped access token<o:p></o:p></p>
<p class="MsoNormal"> George's use case was use in networks of micro-services<o:p></o:p></p>
<p class="MsoNormal"> There was a discussion on the relationship between roles and scopes<o:p></o:p></p>
<p class="MsoNormal"> Once the working group draft has been published, we'll ask for people to review it<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Use of "sub" in SIOP<o:p></o:p></p>
<p class="MsoNormal"> Tobias said that RPs use the "sub" field as a stable identifier for the party<o:p></o:p></p>
<p class="MsoNormal"> That prevents key rotation for SIOP<o:p></o:p></p>
<p class="MsoNormal"> He would still sign with the "sub_jwk" but break the linkage to the "sub" value<o:p></o:p></p>
<p class="MsoNormal"> John observed that what Tobias wants is the level of indirection we had for XRDS identifiers in OpenID 2.0<o:p></o:p></p>
<p class="MsoNormal"> The XRDS document provided a pointer to the discovery information for the IdP<o:p></o:p></p>
<p class="MsoNormal"> With XRDS you could build a multi-tenant self-issued service<o:p></o:p></p>
<p class="MsoNormal"> Tobias said that there would be an identifier that would be dereferenced to get the needed cryptographic material<o:p></o:p></p>
<p class="MsoNormal"> John said that the "sub" would be like that<o:p></o:p></p>
<p class="MsoNormal"> He said that it would be up to the SIOP whether to use an externally referenced key source or an internal one<o:p></o:p></p>
<p class="MsoNormal"> Tobias said that we could define a URI that stands for the JWK Thumbprint<o:p></o:p></p>
<p class="MsoNormal"> John said that a DID could be simply a file on a Web Server<o:p></o:p></p>
<p class="MsoNormal"> Tobias would expand the OP metadata to indicate the methods supported<o:p></o:p></p>
<p class="MsoNormal"> Mike said that he wouldn't want RPs to all have to understand DID resolution<o:p></o:p></p>
<p class="MsoNormal"> John and Tobias agreed, and had ideas about how to accomplish that<o:p></o:p></p>
<p class="MsoNormal"> Tobias plans to send his presentation deck to the working group<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Issues<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open">
https://bitbucket.org/openid/connect/issues?status=new&status=open</a><o:p></o:p></p>
<p class="MsoNormal"> (The call went over time and we didn't spend any time on open issues.)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next Call<o:p></o:p></p>
<p class="MsoNormal"> The next working group call is Thursday, August 27 at 7am Pacific Time<o:p></o:p></p>
</div>
</body>
</html>