<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Spec Call Notes 17-Jun-21<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Tom Jones<o:p></o:p></p>
<p class="MsoNormal">Nat Sakimura<o:p></o:p></p>
<p class="MsoNormal">Tim Cappalli<o:p></o:p></p>
<p class="MsoNormal">Kristina Yasuda<o:p></o:p></p>
<p class="MsoNormal">Anthony Nadalin<o:p></o:p></p>
<p class="MsoNormal">Joseph Heenan<o:p></o:p></p>
<p class="MsoNormal">Tom Jones<o:p></o:p></p>
<p class="MsoNormal">Mark Haine<o:p></o:p></p>
<p class="MsoNormal">Adam Lemmon<o:p></o:p></p>
<p class="MsoNormal">John Bradley<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Events<o:p></o:p></p>
<p class="MsoNormal"> Identiverse<o:p></o:p></p>
<p class="MsoNormal"> Joseph is doing a talk on best practices for OAuth 2.0 and OpenID Connect mobile applications<o:p></o:p></p>
<p class="MsoNormal"> Kristina is doing a SIOP panel with Nat and Kim and Tobias<o:p></o:p></p>
<p class="MsoNormal"> Vittorio is doing a presentation on Browser Interactions<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://identiverse.com/idv2021/session/SES17LPY80SAWHL8K/">
https://identiverse.com/idv2021/session/SES17LPY80SAWHL8K/</a> - "Identity and Web Browsers: Next-Generation API"<o:p></o:p></p>
<p class="MsoNormal"> George is doing a presentation on Dynamic Client Registration at scale<o:p></o:p></p>
<p class="MsoNormal"> Nat is doing the presentation Seven Principles of Digital Being<o:p></o:p></p>
<p class="MsoNormal"> Applied Cryptography and Network Security Conference<o:p></o:p></p>
<p class="MsoNormal"> Nat will be doing a talk on cryptographic security<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://identiverse.com/idv2021/session/SEST6B73DDZG8MW3P/">
https://identiverse.com/idv2021/session/SEST6B73DDZG8MW3P/</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">DHS Response<o:p></o:p></p>
<p class="MsoNormal"> The response deadline was extended into July<o:p></o:p></p>
<p class="MsoNormal"> We will set a deadline for comments by the end of June<o:p></o:p></p>
<p class="MsoNormal"> We are answering only the questions in the RFI that are pertinent to OpenID<o:p></o:p></p>
<p class="MsoNormal"> Kristina will make sure that the question being answered is clearly identified<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Liaisons<o:p></o:p></p>
<p class="MsoNormal"> DIF<o:p></o:p></p>
<p class="MsoNormal"> The Wallet Security WG charter has been approved<o:p></o:p></p>
<p class="MsoNormal"> Use of SIOP is in scope<o:p></o:p></p>
<p class="MsoNormal"> Apparently the German government is interested in secure wallet specifications<o:p></o:p></p>
<p class="MsoNormal"> Nat said that if key management or bearer tokens are involved, the wallet needs to be secure<o:p></o:p></p>
<p class="MsoNormal"> Tom said that Kantara is also doing work on secure wallets<o:p></o:p></p>
<p class="MsoNormal"> Tom said that wallets may sign proof of proof of presence of human beings<o:p></o:p></p>
<p class="MsoNormal"> John said that wallets singing things for themselves is essentially meaningless<o:p></o:p></p>
<p class="MsoNormal"> You need a higher-level statement of trust from the operating system, etc.<o:p></o:p></p>
<p class="MsoNormal"> Kristina said that key management and signing by the wallet is in scope<o:p></o:p></p>
<p class="MsoNormal"> Backup and recovery is in scope<o:p></o:p></p>
<p class="MsoNormal"> Nat said that remote attestation can be used to identify a true wallet<o:p></o:p></p>
<p class="MsoNormal"> John said that there can be attestations that you're talking to the right wallet binary<o:p></o:p></p>
<p class="MsoNormal"> John said that there might also be attestations for particular keys<o:p></o:p></p>
<p class="MsoNormal"> For instance, Android attestations, SafetyNet, iOS is App Attest, etc.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> eKYC-IDA<o:p></o:p></p>
<p class="MsoNormal"> There's a proposal for new EIDAS specifications<o:p></o:p></p>
<p class="MsoNormal"> Mark Haine said that EIDAS services have been successful but EIDs were a failure<o:p></o:p></p>
<p class="MsoNormal"> There's a proposal to make EID certification based - like EIDAS services were<o:p></o:p></p>
<p class="MsoNormal"> Stephane Mouy gave a presentation on the new EIDAS proposals<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Federation Specification<o:p></o:p></p>
<p class="MsoNormal"> The current draft is <a href="https://openid.net/specs/openid-connect-federation-1_0-16.html">
https://openid.net/specs/openid-connect-federation-1_0-16.html</a><o:p></o:p></p>
<p class="MsoNormal"> Torsten submitted a review<o:p></o:p></p>
<p class="MsoNormal"> We're hoping for a few more internal reviews before starting the Implementer's Draft review<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Certification Update<o:p></o:p></p>
<p class="MsoNormal"> Joseph said there isn't much to report on the Connect side<o:p></o:p></p>
<p class="MsoNormal"> The extra tests for additional assertion audiences aren't in place yet<o:p></o:p></p>
<p class="MsoNormal"> Brazil has provided directed funding to develop tests for the Brazil FAPI 1.0 profile<o:p></o:p></p>
<p class="MsoNormal"> There are also FAPI-CIBA tests for Brazil<o:p></o:p></p>
<p class="MsoNormal"> The FAPI-CIBA RP tests are entirely new work<o:p></o:p></p>
<p class="MsoNormal"> We're expecting ~40 certifications next month<o:p></o:p></p>
<p class="MsoNormal"> They're going into production with the 40 banks next month<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Pull Requests<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/pull-requests/">
https://bitbucket.org/openid/connect/pull-requests/</a><o:p></o:p></p>
<p class="MsoNormal"> PR #22 on Verifiable Presentations<o:p></o:p></p>
<p class="MsoNormal"> To be discussed on the next SIOP special call<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Issues<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open">
https://bitbucket.org/openid/connect/issues?status=new&status=open</a><o:p></o:p></p>
<p class="MsoNormal"> #1227: Core 5.5 - Claims parameter requirements<o:p></o:p></p>
<p class="MsoNormal"> Mark and Tony talked about this<o:p></o:p></p>
<p class="MsoNormal"> Mark said that it's unclear whether implementations can support "id_token" but not "userinfo" or vice versa<o:p></o:p></p>
<p class="MsoNormal"> Mike agreed to review the existing text from that perspective<o:p></o:p></p>
<p class="MsoNormal"> This isn't being tested in the Certification tests<o:p></o:p></p>
<p class="MsoNormal"> Mark said that this came up in a UK Open Banking context<o:p></o:p></p>
<p class="MsoNormal"> They're using the ID Token as a detached signature mechanism<o:p></o:p></p>
<p class="MsoNormal"> They don't want to put PII in the ID Token<o:p></o:p></p>
<p class="MsoNormal"> They want the use of the UserInfo Endpoint rather than the ID Token in this case<o:p></o:p></p>
<p class="MsoNormal"> Mike said that RPs always have to be prepared for requested claims not to be provided and for unanticipated claims to be included<o:p></o:p></p>
<p class="MsoNormal"> Which claims are returned and where they are returned is already at the discretion of the OP<o:p></o:p></p>
<p class="MsoNormal"> Mark said that there's the possibility of adding additional discovery elements specifying additional behaviors<o:p></o:p></p>
<p class="MsoNormal"> #968: inconsistent treatment of id_token_hint<o:p></o:p></p>
<p class="MsoNormal"> Mike will investigate whether the existing errata edits have already addressed this issue<o:p></o:p></p>
<p class="MsoNormal"> #976: Unregistered openid2_realm and openid2_id<o:p></o:p></p>
<p class="MsoNormal"> Mike will send a note to IANA<o:p></o:p></p>
<p class="MsoNormal"> #978: URL for errata<o:p></o:p></p>
<p class="MsoNormal"> Mike will add a comment to the issue about how we're already addressing this<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next Call<o:p></o:p></p>
<p class="MsoNormal"> The next regular Connect call will be on Monday, June 21, 2021 at 4pm Pacific Time<o:p></o:p></p>
</div>
</body>
</html>