<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-2022-jp">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
David Waite</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Michael Barrett</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Pamela Dingle</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Jeremie Miller</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Anthony Nadalin</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Edmund Jay</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
John Bradley</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Ran Xing</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Brian Richer</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Kristina Yasuda</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Regrets: Mike Jones (IETF 111)</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div lang="JA" style="word-wrap:break-word">
<p class="x_x_x_x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin-top:0px; margin-bottom:0px; margin-top:0px; margin-bottom:0px; margin-top:0px; margin-bottom:0px; margin-top:0px; margin-bottom:0px; margin:0mm; font-size:12pt; font-family:SimSun; background:white">
<span lang="EN-US" style="font-family:"Calibri",sans-serif; color:black"> </span></p>
<p class="x_x_x_x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin-top:0px; margin-bottom:0px; margin-top:0px; margin-bottom:0px; margin-top:0px; margin-bottom:0px; margin-top:0px; margin-bottom:0px; margin:0mm; font-size:12pt; font-family:SimSun; background:white">
<span lang="EN-US" style="font-family:"Calibri",sans-serif; color:black">- IPR reminder & introductions/re-introductions</span></p>
<p class="x_x_x_x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin-top:0px; margin-bottom:0px; margin-top:0px; margin-bottom:0px; margin-top:0px; margin-bottom:0px; margin-top:0px; margin-bottom:0px; margin:0mm; font-size:12pt; font-family:SimSun; background:white">
<span lang="EN-US" style="font-family:"Calibri",sans-serif; color:black">- <span class="x_x_x_x_marka6v39w0tx">Agenda</span> bashing/adoption</span></p>
<p class="x_x_x_x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin-top:0px; margin-bottom:0px; margin-top:0px; margin-bottom:0px; margin-top:0px; margin-bottom:0px; margin-top:0px; margin-bottom:0px; margin:0mm; font-size:12pt; font-family:SimSun; background:white">
<span lang="EN-US" style="font-family:"Calibri",sans-serif; color:black">- Events/External orgs</span></p>
<p style="margin: 0mm; background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;">
</p>
<ul style="">
<li><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">ISO mDL WG want to publish a technical standard that includes SIOP</span><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"> </span><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">by
 Jan 1st 2022</span></li><ul>
<li><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Preliminary deadline set to publish a technical standard on "over-the-internet" transport between mID app (SIOP) and mID reader (RP) by Jan 1st 2022</span></li><li><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">SIOP is already included in the relevant text and is expected to be part of the final technical standard</span></li><li><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Having outstanding issues all solved in SIOP V2 and potentially have few implementations by Jan 1st 2022 would be important, though we would not want
 to be bound by this timeline</span></li><li><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Need to agree on the priority to solve outstanding issues - Cross-device SIOP security considerations (potentially mitigated in mID model by the exchange
 of the "engagement data" prior to sending the request), client_id in SIOP, iss=self-issued.me, anything else?</span></li></ul>
<li style=""><span lang="EN-US" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">DIF Interop WG electe</span><span lang="EN-US" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">d </span><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">DW
 as a chair</span><br>
</li><li style=""><span lang="EN-US" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">IETF111 GNAP WG d</span><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">iscussed
 about the interoperability with vc-http-api and GNAP</span></li><ul>
<li style=""><span lang="EN-US" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">No overlap with SIOP because in GNAP, AS is always hosted (ie cannot be on a user's device)</span></li></ul>
<li style=""><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Next DIF Presentation Exchange/OIDF WG call
</span><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">on Aug. 4th</span></li><ul>
<li style=""><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">everyone encouraged to comment on the issues in PE Github and Bitbucket to help editors make decisions until than</span></li></ul>
</ul>
<p style="margin-top: 0px; margin-bottom: 0px;margin-top:0px; margin-bottom:0px; margin-top:0px; margin-bottom:0px; margin-top:0px; margin-bottom:0px; margin-top:0px; margin-bottom:0px; margin:0mm; background-image:initial; background-position:initial; background-size:initial; background-repeat:initial; background-attachment:initial; background-origin:initial; background-clip:initial">
<span style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt">- Issues </span></p>
<ul type="disc" style="margin-bottom:0mm">
<ul>
<li style="display:block">
<div></div>
</li></ul>
<li style="margin:0mm; background-image:initial; background-position:initial; background-size:initial; background-repeat:initial; background-attachment:initial; background-origin:initial; background-clip:initial">
<span style=""><span lang="EN-US" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">SIOP</span></span><span lang="EN-US" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)"> V</span><span lang="EN-US" style="color:black; font-family:Calibri,sans-serif; font-size:12pt; background-color:white">2</span></li><ul>
<li style="margin:0mm; background-image:initial; background-position:initial; background-size:initial; background-repeat:initial; background-attachment:initial; background-origin:initial; background-clip:initial">
<span style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)"><span style="font-family:Calibri,sans-serif; background-color:rgb(255,255,255); display:inline!important">Security Considerations: <a href="https://bitbucket.org/openid/connect/issues/1269/add-security-considerations-for-cross" id="LPlnk">https://bitbucket.org/openid/connect/issues/1269/add-security-considerations-for-cross</a></span></span></li><ul>
<li style="margin:0mm; background-image:initial; background-position:initial; background-size:initial; background-repeat:initial; background-attachment:initial; background-origin:initial; background-clip:initial">
John described a 'session phishing' attack caused by the lack of channel binding, where your credential is not phished but your session has been highjacked. A session can be verified, RP trusts it, but it is MITM presenting a credential that belongs to someone
 else</li><li style="margin:0mm; background-image:initial; background-position:initial; background-size:initial; background-repeat:initial; background-attachment:initial; background-origin:initial; background-clip:initial">
We discussed mitigations for a session phishing attack</li><ul>
<li style="margin:0mm; background-image:initial; background-position:initial; background-size:initial; background-repeat:initial; background-attachment:initial; background-origin:initial; background-clip:initial">
Cryptographic signature on Verifiable Presentation does not help because there is still no cryptographic proof in the access channel</li><li style="margin:0mm; background-image:initial; background-position:initial; background-size:initial; background-repeat:initial; background-attachment:initial; background-origin:initial; background-clip:initial">
Encryption also does not help. John said that even some binding is still problematic if it is unidirectional - SIOP can read a QR code, but has no way to verify it. you can sign/encrypt a QR code but that does not prevent it being placed on a different website.</li><li style="margin:0mm; background-image:initial; background-position:initial; background-size:initial; background-repeat:initial; background-attachment:initial; background-origin:initial; background-clip:initial">
Redirect happening to the website on the device (rather than on a desktop) does not work too, because if there is a malware, reverse proxy will be the one to get the redirect and it can modify/process it.</li><ul>
<li style="margin:0mm; background-image:initial; background-position:initial; background-size:initial; background-repeat:initial; background-attachment:initial; background-origin:initial; background-clip:initial">
Modern MITM where browser in the cloud controlled by the malware company</li></ul>
<li style="margin:0mm; background-image:initial; background-position:initial; background-size:initial; background-repeat:initial; background-attachment:initial; background-origin:initial; background-clip:initial">
Have the user authenticate at the browser using a usual OIDC flow, set a signed cookie tying userID, browser and the RP, start a SIOP flow and have SIOP include userID in the SIOP response for the RP to validate is a potential mitigation, but does not work
 if the initial cookie is tied to a malicious website - and with the introduction of cross-device flow, there might be more incentives for such impersonation prior to the SIOP flow. </li></ul>
<li style="margin:0mm; background-image:initial; background-position:initial; background-size:initial; background-repeat:initial; background-attachment:initial; background-origin:initial; background-clip:initial">
We identified that problem is not in the QR code, but in the fact that channel binding is unidirectional and SIOP has no idea which origin is presenting the QR code.</li><ul>
<li style="margin:0mm; background-image:initial; background-position:initial; background-size:initial; background-repeat:initial; background-attachment:initial; background-origin:initial; background-clip:initial">
John's prior work on secure session transfer</li><li style="margin:0mm; background-image:initial; background-position:initial; background-size:initial; background-repeat:initial; background-attachment:initial; background-origin:initial; background-clip:initial">
reason why in payments, backchannel authn works off trusted payment terminals (trusted meaning not running JavaScript or displaying HTML)</li><li style="margin:0mm; background-image:initial; background-position:initial; background-size:initial; background-repeat:initial; background-attachment:initial; background-origin:initial; background-clip:initial">
Consumption Browser would need modifications to display only the QR codes that match the origin on the website itself</li></ul>
<li style="margin:0mm">John pointed out that the core question is how do you trust the browser on the consumption device (RP)</li><ul>
<li style="margin:0mm">The only secure mitigation John has been thinking of is: wallet on the consumption device creates a WebAuthn credential, uses it for re-authentication at the consumption device</li><li style="margin:0mm">RP would have an audience restriction of the FIDO assertion to prevent MITM</li><li style="margin:0mm">key could be on a security key (or in the platform authenticator on the phone and used via CABLE) - for those interested, new version of CABLE uses a local QR code, exchanges crypto seed, and continues to pairing over Bluetooth to create
 a secure channel between the browser and the phone.</li></ul>
<li style="margin:0mm">Jeremie suggested that the best way to address this attack is to state that in SIOP V2, backchannel authentication must not be used and only WebAuthn must be used for the session creation</li><ul>
<li style="margin:0mm">John agreed and pointed out that a way to make easy the creation of a WebAuthn credential that is tied to the VP going to the RP is needed - </li><li style="margin:0mm">Action item to start writing such document - Kristina opened a related issue</li></ul>
</ul>
</ul>
</ul>
<ul type="disc" style="margin-bottom:0mm">
<ul>
<ul>
<li style="margin:0mm">Related conversations</li><ul>
<li style="margin:0mm">DW mentioned that the requirement becomes that two separate devices need to have a "multi-directional" relationship to make a channel binding work</li><ul>
<li style="margin:0mm">With FIDO, browser handling the network traffic is also responsible for talking to WebAuthn/CTAP-based authenticator</li></ul>
<li style="margin:0mm">Related question: How do you re-authenticate to the same website using various devices (presenting the same credentials)?</li><ul>
<li style="margin:0mm">putting wallet on everysingle device sounds impractical</li></ul>
<li style="margin:0mm">Pam pointed out that this is not really a new problem... Old problem being revived </li><li style="margin:0mm">John explained how these concerns did not stop OAuth Device Flow because it is TV that sends you to a place for authentication and you trust the TV.</li></ul>
</ul>
<li style="margin:0mm">successful client registation response: <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fissues%2F1267%2Fsuccessful-client-registration-response&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7C53f1573ae4cd44efe6e708d94cd18751%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637625285115894941%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=9MSX0LrKPsCmcs5a2jBqYw2d0btXx1kbfOOeiP2ZZJY%3D&reserved=0" shash="WjDNFV0qqkjb7AKIKtaKwqlvR5Eg8yBzciTjiHjx5uYiemc3cfFZshEnPKOskoJHHD1UBn/JIOvgxIXuf9D4HV6cUnURuMCJRq0zoipZvGOON7CnEXZu80k/hR0/3Szep4EhNV7xmYJOJvGcKJE1icfiPhzGdRwxoYc2n3nVqyc=" style="margin:0px"><span style="margin:0px;font-size:12pt;font-family:Calibri, Arial, Helvetica, sans-serif">https://bitbucket.org/openid/connect/issues/1267/successful-client-registration-response</span></a></li><ul>
<li style="margin:0mm"><span style="margin:0px;font-size:12pt;font-family:Calibri, Arial, Helvetica, sans-serif">John to take a look if this original SIOP text is still relevant</span></li></ul>
<li style="margin:0mm">Resolved #1203 and #1262 by the merge of PR #35</li></ul>
</ul>
<div><br>
</div>
<p class="x_x_x_x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin-top:0px; margin-bottom:0px; margin-top:0px; margin-bottom:0px; margin-top:0px; margin-bottom:0px; margin-top:0px; margin-bottom:0px; margin:0mm; font-size:12pt; font-family:SimSun; background:white">
<span lang="EN-US" style="font-family:"Calibri",sans-serif; color:black">Thank you!</span></p>
<p class="x_x_x_x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin-top:0px; margin-bottom:0px; margin-top:0px; margin-bottom:0px; margin-top:0px; margin-bottom:0px; margin-top:0px; margin-bottom:0px; margin:0mm; font-size:12pt; font-family:SimSun">
<span lang="EN-US" style="font-family:"Calibri",sans-serif; color:black">Kristina</span><span lang="EN-US" style="font-size:11.0pt; font-family:"Noto Sans CJK JP Medium",sans-serif; color:#4472C4"></span></p>
<p class="x_x_x_x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin-top:0px; margin-bottom:0px; margin-top:0px; margin-bottom:0px; margin-top:0px; margin-bottom:0px; margin-top:0px; margin-bottom:0px; margin:0mm; font-size:12pt; font-family:SimSun">
<span lang="EN-US" style="font-size:11.0pt; font-family:"Noto Sans CJK JP Medium",sans-serif; color:#4472C4"> </span></p>
<p class="x_x_x_x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin-top:0px; margin-bottom:0px; margin-top:0px; margin-bottom:0px; margin-top:0px; margin-bottom:0px; margin-top:0px; margin-bottom:0px; margin:0mm; font-size:12pt; font-family:SimSun">
<span lang="EN-US" style="font-size:11.0pt; font-family:"Noto Sans CJK JP Medium",sans-serif; color:#4472C4"> <br>
<br>
</span></p>
</div>
</div>
</div>
</div>
</body>
</html>