<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#002060;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#002060">Correction: The OpenID Foundation Virtual Workshop will be Wednesday, October 28, 2020 at 9am PT/12pm ET/4pm UTC. The date cited below was incorrect.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#002060"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#002060"> -- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#002060"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Mike Jones <br>
<b>Sent:</b> Thursday, August 27, 2020 11:14 AM<br>
<b>To:</b> openid-specs-ab@lists.openid.net<br>
<b>Subject:</b> Spec Call Notes 27-Aug-20<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Spec Call Notes 27-Aug-20<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Brian Campbell<o:p></o:p></p>
<p class="MsoNormal">Tim Cappalli<o:p></o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Oliver Terbu<o:p></o:p></p>
<p class="MsoNormal">Tom Jones<o:p></o:p></p>
<p class="MsoNormal">Kristina Yasuda<o:p></o:p></p>
<p class="MsoNormal">George Fletcher<o:p></o:p></p>
<p class="MsoNormal">Markus Sabadello<o:p></o:p></p>
<p class="MsoNormal">Bjorn Hjelm<o:p></o:p></p>
<p class="MsoNormal">Joseph Heenan<o:p></o:p></p>
<p class="MsoNormal">John Bradley<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">logout_hint Proposal<o:p></o:p></p>
<p class="MsoNormal"> Issue #1182 - Add logout_hint parameter to RP-Initiated Logout request<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues/1182/add-logout_hint-parameter-to-rp-initiated">
https://bitbucket.org/openid/connect/issues/1182/add-logout_hint-parameter-to-rp-initiated</a><o:p></o:p></p>
<p class="MsoNormal"> Mike gave background in the issue<o:p></o:p></p>
<p class="MsoNormal"> George observed that the login_hint is truly a hint, whereas logout_hint might not be<o:p></o:p></p>
<p class="MsoNormal"> Mike reminded people that OPs are expected to ask the user if they really want to log out<o:p></o:p></p>
<p class="MsoNormal"> Mike reminded people that it's legal to request a logout without any user selection parameters<o:p></o:p></p>
<p class="MsoNormal"> George doesn't see much danger in adding additional user selection parameters if there's user interaction involved<o:p></o:p></p>
<p class="MsoNormal"> Mike thinks that adding logout_hint and sid parameters would be fine session selection inputs<o:p></o:p></p>
<p class="MsoNormal"> Post-logout redirection should only happen to RPs that have recently been logged in<o:p></o:p></p>
<p class="MsoNormal"> and to registered post_logout_redirect_uri values<o:p></o:p></p>
<p class="MsoNormal"> Mike said that client_id doesn't help for user selection, whereas sid does<o:p></o:p></p>
<p class="MsoNormal"> John said that we haven't said that sids can't be specific to particular client_ids<o:p></o:p></p>
<p class="MsoNormal"> Mike said we're already requiring them to be unique within the OP in Backchannel Logout<o:p></o:p></p>
<p class="MsoNormal"> John said we should say that elsewhere where relevant<o:p></o:p></p>
<p class="MsoNormal"> Mike will add the sense of the discussion on this call to the issue<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Aggregated Claims Draft<o:p></o:p></p>
<p class="MsoNormal"> The adopted draft hasn't been posted yet<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">OpenID Virtual Workshop, Monday, October 19th<o:p></o:p></p>
<p class="MsoNormal"> It will be prior to the virtual IIW<o:p></o:p></p>
<p class="MsoNormal"> Topics scheduled include working group, federation, and certification updates<o:p></o:p></p>
<p class="MsoNormal"> The group thought that we should add a SIOP update to the agenda<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Certification<o:p></o:p></p>
<p class="MsoNormal"> We are on track to decommission the Python-based testing suite at end of the month<o:p></o:p></p>
<p class="MsoNormal"> We've sent notices about this to mailing lists and those who have certified in the past<o:p></o:p></p>
<p class="MsoNormal"> We notified them that they need to wrap up their testing with it and move to the Java-based suite<o:p></o:p></p>
<p class="MsoNormal"> We will take the new suite out of pilot mode in September, after the old one is decommissioned<o:p></o:p></p>
<p class="MsoNormal"> At that point, we will resume charging for Connect certifications<o:p></o:p></p>
<p class="MsoNormal"> Joseph said that we've gotten a bunch of certification requests using the new suite in the past two weeks<o:p></o:p></p>
<p class="MsoNormal"> We have certifications for all the certification profiles except for RP Config, RP Dynamic, RP Form Post, and RP Back-Channel Logout<o:p></o:p></p>
<p class="MsoNormal"> Mike will ping Roland about trying those<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Introductions<o:p></o:p></p>
<p class="MsoNormal"> Markus Sabadello<o:p></o:p></p>
<p class="MsoNormal"> Danube Tech in Vienna, Austria<o:p></o:p></p>
<p class="MsoNormal"> Worked on OpenID for a long time, including early OpenID 2.0 implementations<o:p></o:p></p>
<p class="MsoNormal"> Active in self-sovereign identity<o:p></o:p></p>
<p class="MsoNormal"> An editor of the DID core spec in W3C<o:p></o:p></p>
<p class="MsoNormal"> A fan of Oliver's SIOP work<o:p></o:p></p>
<p class="MsoNormal"> Oliver Terbu<o:p></o:p></p>
<p class="MsoNormal"> At Consensys in Germany<o:p></o:p></p>
<p class="MsoNormal"> Active in self-sovereign identity<o:p></o:p></p>
<p class="MsoNormal"> Active in Decentralized Identity Foundation (DIF)<o:p></o:p></p>
<p class="MsoNormal"> A chair of DID Auth WG in DIF<o:p></o:p></p>
<p class="MsoNormal"> Here because this group is working on SIOP again<o:p></o:p></p>
<p class="MsoNormal"> Has proposed modifications to help use SIOP in a more efficient way<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">SIOP<o:p></o:p></p>
<p class="MsoNormal"> Mike summarized some of the discussions from the previous call for the new participants<o:p></o:p></p>
<p class="MsoNormal"> We could introduce a level of indirection, like we used to have with XRDS<o:p></o:p></p>
<p class="MsoNormal"> The indirection value could be a stable "sub" identifier for the RP to use<o:p></o:p></p>
<p class="MsoNormal"> Indirection would enable key rollover<o:p></o:p></p>
<p class="MsoNormal"> Tobias Looker had proposed using a URI as the "sub" value<o:p></o:p></p>
<p class="MsoNormal"> This URI could be a DID<o:p></o:p></p>
<p class="MsoNormal"> It could be a URL for an OpenID Federation Entity Statement<o:p></o:p></p>
<p class="MsoNormal"> We can differentiate between existing sub values and new ones because URIs have a colon in them<o:p></o:p></p>
<p class="MsoNormal"> Tom and Tobias are working on a proposal<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://github.com/KantaraInitiative/DistributedAssurance/blob/master/OpenID%20Self%20Issued%20Identifier.md">
https://github.com/KantaraInitiative/DistributedAssurance/blob/master/OpenID%20Self%20Issued%20Identifier.md</a><o:p></o:p></p>
<p class="MsoNormal"> Section 5.2 talks about Subject Identifiers<o:p></o:p></p>
<p class="MsoNormal"> Oliver: DIF proposal currently uses a different claim than "sub" for the DID<o:p></o:p></p>
<p class="MsoNormal"> Oliver: Thinks that Tobias' motivation was primarily token issuance, rather than the ID Token<o:p></o:p></p>
<p class="MsoNormal"> Oliver plans to write a document and share it with the working group to discuss on a future call<o:p></o:p></p>
<p class="MsoNormal"> George observed that Tom has a use case that requires a persistent identifier for the user<o:p></o:p></p>
<p class="MsoNormal"> George thinks that that would be better as a unique claim<o:p></o:p></p>
<p class="MsoNormal"> Tom said that in healthcare, there won't be a single identifier ever<o:p></o:p></p>
<p class="MsoNormal"> You have to go through a medical record locator process<o:p></o:p></p>
<p class="MsoNormal"> Each health identifier exchange uses a different identifier for the person<o:p></o:p></p>
<p class="MsoNormal"> In healthcare, we have to assume that we'll never have a single identifier for the person<o:p></o:p></p>
<p class="MsoNormal"> George said that it's up to the deployment what kinds of subject identifiers to use<o:p></o:p></p>
<p class="MsoNormal"> Tom discussed redirection methods<o:p></o:p></p>
<p class="MsoNormal"> If we have the level of indirection, we could specify redirection methods other than openid:// in the discovery document<o:p></o:p></p>
<p class="MsoNormal"> George asked if we want to just break the "sub" value and require it to be a URI<o:p></o:p></p>
<p class="MsoNormal"> John suggested that we could define a URI value to encode the JWK Thumbprint<o:p></o:p></p>
<p class="MsoNormal"> Tobias had suggested the same thing in a different call<o:p></o:p></p>
<p class="MsoNormal"> We should determine how much deployment there is of the existing SIOP specification<o:p></o:p></p>
<p class="MsoNormal"> Mike believes that there may be deployments in Japan<o:p></o:p></p>
<p class="MsoNormal"> John believes that Nat knows about this<o:p></o:p></p>
<p class="MsoNormal"> George pointed out that having prototypes is quite different from having production deployments at scale<o:p></o:p></p>
<p class="MsoNormal"> Tobias has the OpenID Connect Credential Provider document<o:p></o:p></p>
<p class="MsoNormal"> Tom asked others in the DID community to look at his document<o:p></o:p></p>
<p class="MsoNormal"> Tom asked if a next step was for the working group to adopt his document<o:p></o:p></p>
<p class="MsoNormal"> (We ran out of time and didn't discuss that question)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Issues<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open">
https://bitbucket.org/openid/connect/issues?status=new&status=open</a><o:p></o:p></p>
<p class="MsoNormal"> (We ran out of time so no additional open issues were discussed)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next Call<o:p></o:p></p>
<p class="MsoNormal"> The next working group call is Monday, August 31 at 4pm Pacific Time<o:p></o:p></p>
<p class="MsoNormal"> This is the call primarily devoted to SIOP issues<o:p></o:p></p>
</div>
</body>
</html>