<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Spec Call Notes 29-Jul-21<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">John Bradley<o:p></o:p></p>
<p class="MsoNormal">Brian Campbell<o:p></o:p></p>
<p class="MsoNormal">David Waite (DW)<o:p></o:p></p>
<p class="MsoNormal">Tim Cappalli<o:p></o:p></p>
<p class="MsoNormal">David Chadwick<o:p></o:p></p>
<p class="MsoNormal">Pamela Dingle<o:p></o:p></p>
<p class="MsoNormal">Tom Jones<o:p></o:p></p>
<p class="MsoNormal">Pamela Dingle<o:p></o:p></p>
<p class="MsoNormal">Bjorn Hjelm<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Events<o:p></o:p></p>
<p class="MsoNormal"> OpenID Workshop at EIC in Munich, Monday, September 13, 2021<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://www.kuppingercole.com/events/eic2021">
https://www.kuppingercole.com/events/eic2021</a><o:p></o:p></p>
<p class="MsoNormal"> W3C Federated Identity Community Group<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://www.w3.org/community/fed-id/">
https://www.w3.org/community/fed-id/</a><o:p></o:p></p>
<p class="MsoNormal"> Tim reported that the first meeting is on August 2nd at Noon Eastern time<o:p></o:p></p>
<p class="MsoNormal"> We have terminated the series of special Browser Interaction calls, as the discussion has moved to the CG<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Related Working Groups<o:p></o:p></p>
<p class="MsoNormal"> Bjorn reported on MODRNA<o:p></o:p></p>
<p class="MsoNormal"> They've gone through open issues in the Authentication Profile<o:p></o:p></p>
<p class="MsoNormal"> They're addressing incoming CIBA Core comments<o:p></o:p></p>
<p class="MsoNormal"> CIBA Core is in review for Final status<o:p></o:p></p>
<p class="MsoNormal"> Brazil Open Banking is using FAPI CIBA as part of their deployment<o:p></o:p></p>
<p class="MsoNormal"> Brian reported on FAPI<o:p></o:p></p>
<p class="MsoNormal"> The 1.0 profiles are final<o:p></o:p></p>
<p class="MsoNormal"> There's debate about the scope of the 2.0 work<o:p></o:p></p>
<p class="MsoNormal"> It might be restricted to being a security profile<o:p></o:p></p>
<p class="MsoNormal"> Or it could become a larger suite of specifications, including for consent and rich authorization<o:p></o:p></p>
<p class="MsoNormal"> Intent lodging is part of what's being considered<o:p></o:p></p>
<p class="MsoNormal"> There's a FAQ on the relationship between FAPI 1.0 and FAPI 2.0<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://openid.net/wg/fapi/faq/">
https://openid.net/wg/fapi/faq/</a><o:p></o:p></p>
<p class="MsoNormal"> Pushed Authorization Requests (PAR) and PKCE are being used by FAPI 2.0<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">External Organizations<o:p></o:p></p>
<p class="MsoNormal"> DHS Mobile Driver's License Response<o:p></o:p></p>
<p class="MsoNormal"> We've sent the OpenID Foundation's response<o:p></o:p></p>
<p class="MsoNormal"> DIF work on using Presentation Exchange in OpenID Connect for Verifiable Presentations<o:p></o:p></p>
<p class="MsoNormal"> Pam reported on negotiations for PE subsetting for use by OpenID<o:p></o:p></p>
<p class="MsoNormal"> DW has been active on GitHub<o:p></o:p></p>
<p class="MsoNormal"> The editors of both specs plan to report back on August 4th<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://us02web.zoom.us/j/86386603919?pwd=bUdYbGpDb01DR0d0elEwMmticUs2QT09">
https://us02web.zoom.us/j/86386603919?pwd=bUdYbGpDb01DR0d0elEwMmticUs2QT09</a><o:p></o:p></p>
<p class="MsoNormal"> SCIM BoF<o:p></o:p></p>
<p class="MsoNormal"> There's a SCIM BoF at IETF today at 1:30 Pacific Time<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://datatracker.ietf.org/group/sins/about/">
https://datatracker.ietf.org/group/sins/about/</a><o:p></o:p></p>
<p class="MsoNormal"> The goal is rechartering the SCIM WG to help increase adoption and clean things up<o:p></o:p></p>
<p class="MsoNormal"> Kantara Privacy and Identity Report for the mobile driver's license was published<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://kantarainitiative.org/download/pimdl-v1-final/">
https://kantarainitiative.org/download/pimdl-v1-final/</a><o:p></o:p></p>
<p class="MsoNormal"> Tom reported that states and provinces are using different flows with different properties<o:p></o:p></p>
<p class="MsoNormal"> For instance, in Colorado, a QR code can be released enabling queries to the Department of Licensing<o:p></o:p></p>
<p class="MsoNormal"> Revocation of the privilege versus revocation of the certificate are different<o:p></o:p></p>
<p class="MsoNormal"> Other kinds of digital IDs are also being issues<o:p></o:p></p>
<p class="MsoNormal"> Fishing licenses, hairdresser licenses, etc.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Pull Requests<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/pull-requests/">
https://bitbucket.org/openid/connect/pull-requests/</a><o:p></o:p></p>
<p class="MsoNormal"> We didn't get to Pull Requests<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Issues<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open">
https://bitbucket.org/openid/connect/issues?status=new&status=open</a><o:p></o:p></p>
<p class="MsoNormal"> #1273: Mitigating security risk by using WebAuthn in cross-device SIOP<o:p></o:p></p>
<p class="MsoNormal"> John spoke to the proposal<o:p></o:p></p>
<p class="MsoNormal"> The QR code approach is easily phishable<o:p></o:p></p>
<p class="MsoNormal"> An ephemeral WebAuthn credential could be part of the solution<o:p></o:p></p>
<p class="MsoNormal"> The FIDO credential could be in the SIOP ID Token JWT to tie the two transactions together<o:p></o:p></p>
<p class="MsoNormal"> CIBA has similar problems<o:p></o:p></p>
<p class="MsoNormal"> The OAuth Device Flow doesn't have these problems because the device (your TV, etc.) is trusted<o:p></o:p></p>
<p class="MsoNormal"> Tim proposed meeting to produce a sequence diagram for this solution<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next Call<o:p></o:p></p>
<p class="MsoNormal"> Monday, August 2 at 4pm Pacific Time<o:p></o:p></p>
</div>
</body>
</html>