<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Hi All,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Regarding "<span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;">DHS Mobile Driver's License Response: </span><span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;">We've
sent the OpenID Foundation's response", </span><span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;">OpenID Foundation's response has been accepted and published at </span><a href="https://www.regulations.gov/comment/DHS-2020-0028-0025" id="LPlnk141751" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;">https://www.regulations.gov/comment/DHS-2020-0028-0025</a><span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;">.</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Thank you very much to everyone who provided feedback and reviewed!</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Kindest Regards,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Kristina</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Openid-specs-ab <openid-specs-ab-bounces@lists.openid.net> on behalf of Mike Jones via Openid-specs-ab <openid-specs-ab@lists.openid.net><br>
<b>Sent:</b> Thursday, July 29, 2021 9:26<br>
<b>To:</b> openid-specs-ab@lists.openid.net <openid-specs-ab@lists.openid.net><br>
<b>Cc:</b> Mike Jones <Michael.Jones@microsoft.com><br>
<b>Subject:</b> [Openid-specs-ab] Spec Call Notes 29-Jul-21</font>
<div> </div>
</div>
<style>
<!--
@font-face
{font-family:"Cambria Math"}
@font-face
{font-family:Calibri}
p.x_MsoNormal, li.x_MsoNormal, div.x_MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif}
a:link, span.x_MsoHyperlink
{color:#0563C1;
text-decoration:underline}
span.x_EmailStyle17
{font-family:"Calibri",sans-serif;
color:windowtext}
.x_MsoChpDefault
{font-family:"Calibri",sans-serif}
@page WordSection1
{margin:1.0in 1.0in 1.0in 1.0in}
div.x_WordSection1
{}
-->
</style>
<div lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="x_WordSection1">
<p class="x_MsoNormal">Spec Call Notes 29-Jul-21</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">Mike Jones</p>
<p class="x_MsoNormal">John Bradley</p>
<p class="x_MsoNormal">Brian Campbell</p>
<p class="x_MsoNormal">David Waite (DW)</p>
<p class="x_MsoNormal">Tim Cappalli</p>
<p class="x_MsoNormal">David Chadwick</p>
<p class="x_MsoNormal">Pamela Dingle</p>
<p class="x_MsoNormal">Tom Jones</p>
<p class="x_MsoNormal">Pamela Dingle</p>
<p class="x_MsoNormal">Bjorn Hjelm</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">Events</p>
<p class="x_MsoNormal"> OpenID Workshop at EIC in Munich, Monday, September 13, 2021</p>
<p class="x_MsoNormal"> <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.kuppingercole.com%2Fevents%2Feic2021&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7Ccec1210b94cb4c79088108d952ada85a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637631728094672303%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=hL4%2F0WYcr6tZMprKeFGh6XAOAUUHgR8bSG5i1uLbGww%3D&reserved=0" originalsrc="https://www.kuppingercole.com/events/eic2021" shash="XLG8hOPqWrYSe51rVUDKsO4R6omlcx50affx8iNQIN6kiZMouehc9UCHG0O3zGcHnwXs1jwXX4pXN/oSfzcEDS6eUGSgucZI6iXYMPR6mnfTPG0XLxQPWm5jiR1UoSwFL5FJa5I9qy7q1fNTthln3NqiGwlaMZsbrm/D7Dzduck=">
https://www.kuppingercole.com/events/eic2021</a></p>
<p class="x_MsoNormal"> W3C Federated Identity Community Group</p>
<p class="x_MsoNormal"> <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2Fcommunity%2Ffed-id%2F&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7Ccec1210b94cb4c79088108d952ada85a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637631728094672303%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=31eL2n9%2BQV3J%2Fdy6Zr%2BDfrf3sgqsbyU058nop3yciNA%3D&reserved=0" originalsrc="https://www.w3.org/community/fed-id/" shash="pk5vpvsO3wAnFP+9aHLANiyuangYXTqOWihHfGQqN9VNXlEbMFUrUD7aiZzqnhJFSiTR4QYYWVMJeNzg3Y51sqgLtFv6P1gcb5SXHDqLEDNhVMqp2+WXFbAQL82yUJth7zCu0XR8Hs2LBWI+5rRhQXpEUU22zSnxJEl7CJzil2A=">
https://www.w3.org/community/fed-id/</a></p>
<p class="x_MsoNormal"> Tim reported that the first meeting is on August 2nd at Noon Eastern time</p>
<p class="x_MsoNormal"> We have terminated the series of special Browser Interaction calls, as the discussion has moved to the CG</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">Related Working Groups</p>
<p class="x_MsoNormal"> Bjorn reported on MODRNA</p>
<p class="x_MsoNormal"> They've gone through open issues in the Authentication Profile</p>
<p class="x_MsoNormal"> They're addressing incoming CIBA Core comments</p>
<p class="x_MsoNormal"> CIBA Core is in review for Final status</p>
<p class="x_MsoNormal"> Brazil Open Banking is using FAPI CIBA as part of their deployment</p>
<p class="x_MsoNormal"> Brian reported on FAPI</p>
<p class="x_MsoNormal"> The 1.0 profiles are final</p>
<p class="x_MsoNormal"> There's debate about the scope of the 2.0 work</p>
<p class="x_MsoNormal"> It might be restricted to being a security profile</p>
<p class="x_MsoNormal"> Or it could become a larger suite of specifications, including for consent and rich authorization</p>
<p class="x_MsoNormal"> Intent lodging is part of what's being considered</p>
<p class="x_MsoNormal"> There's a FAQ on the relationship between FAPI 1.0 and FAPI 2.0</p>
<p class="x_MsoNormal"> <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopenid.net%2Fwg%2Ffapi%2Ffaq%2F&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7Ccec1210b94cb4c79088108d952ada85a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637631728094682259%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=UIvfgyrgy57TiC5M%2BxFXWkjCgp4WzEhB3fzrBy%2FDkeA%3D&reserved=0" originalsrc="https://openid.net/wg/fapi/faq/" shash="djp3Xz6r3HKc/8LHuqyfAlon+7HIsbtLFmGzShZrmNkIzoFzy+yCJcYaM8ptE/ZL/4UOOKnSdK1tryVK1e+boY8WDcWO4GeT4cJe/YujsOIuEeXKPrIfisOngBaZA0C+n1rCt67NtelTQqX9SsB70TNFCDeZ4m/zorvi+pywtQg=">
https://openid.net/wg/fapi/faq/</a></p>
<p class="x_MsoNormal"> Pushed Authorization Requests (PAR) and PKCE are being used by FAPI 2.0</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">External Organizations</p>
<p class="x_MsoNormal"> DHS Mobile Driver's License Response</p>
<p class="x_MsoNormal"> We've sent the OpenID Foundation's response</p>
<p class="x_MsoNormal"> DIF work on using Presentation Exchange in OpenID Connect for Verifiable Presentations</p>
<p class="x_MsoNormal"> Pam reported on negotiations for PE subsetting for use by OpenID</p>
<p class="x_MsoNormal"> DW has been active on GitHub</p>
<p class="x_MsoNormal"> The editors of both specs plan to report back on August 4th</p>
<p class="x_MsoNormal"> <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fus02web.zoom.us%2Fj%2F86386603919%3Fpwd%3DbUdYbGpDb01DR0d0elEwMmticUs2QT09&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7Ccec1210b94cb4c79088108d952ada85a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637631728094682259%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=dbACVCklt0eHQpPN%2B6rcNJuYy8MxawuQdlJqboBSJFM%3D&reserved=0" originalsrc="https://us02web.zoom.us/j/86386603919?pwd=bUdYbGpDb01DR0d0elEwMmticUs2QT09" shash="LYeSHe2c2gA6zdwLn5W/uqHzW5lMhvYpbIeIEn5XD7iljKbGnXhfhtpQGjnda2Cks7l45g4gqY5XV6vzYCMEz+y/21hxuNQ8HzelUFW2QgnClTEyFTRzTJ4NVWfIupFzn0sH20CHeN0ZzO4+e8jsw8SWtL8/XWQ22d6fWNr0nwQ=">
https://us02web.zoom.us/j/86386603919?pwd=bUdYbGpDb01DR0d0elEwMmticUs2QT09</a></p>
<p class="x_MsoNormal"> SCIM BoF</p>
<p class="x_MsoNormal"> There's a SCIM BoF at IETF today at 1:30 Pacific Time</p>
<p class="x_MsoNormal"> <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fgroup%2Fsins%2Fabout%2F&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7Ccec1210b94cb4c79088108d952ada85a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637631728094682259%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=oycNwybCALOwxLOdStCTsTsMmVYV4Ji8HyBbc4DE5wM%3D&reserved=0" originalsrc="https://datatracker.ietf.org/group/sins/about/" shash="F+nuBb24ElKlbaDF2U4H7LhEuJaVfy2MyIMQvoy+NiucW3BfMzKyJop8r0uQpi8J2bTwGIg2iez+BM3gd/JoOVCAM0PLJq71Jdi5uG4xQOQUd10cfJ5P1DQKR+uuxl/f6vXYqKjhGr64sUvqD1hOeKyRyX+kIEUUmUq36/wCfUE=">
https://datatracker.ietf.org/group/sins/about/</a></p>
<p class="x_MsoNormal"> The goal is rechartering the SCIM WG to help increase adoption and clean things up</p>
<p class="x_MsoNormal"> Kantara Privacy and Identity Report for the mobile driver's license was published</p>
<p class="x_MsoNormal"> <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fkantarainitiative.org%2Fdownload%2Fpimdl-v1-final%2F&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7Ccec1210b94cb4c79088108d952ada85a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637631728094692213%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=lDOAPe6bxNtbLcRY2HEBiEw8Zw1Hi0GahXbHtNIj%2Bdg%3D&reserved=0" originalsrc="https://kantarainitiative.org/download/pimdl-v1-final/" shash="SoTuQ9UOCje3PohqmBjBE3mt3HymTu5QPN74WDv+O0VMaZbw1jKqnOCxHXlncgpNGLKPoPJBaDh9UiNdrPUG8u4MyjIjNTI1Z3WA/hKCVJ8vfOSf/iUieZXQKKtW1tXCGv/yIzqRpJx46wpjYxRI+9l5ZDPAsp9aVjzGo0q8awY=">
https://kantarainitiative.org/download/pimdl-v1-final/</a></p>
<p class="x_MsoNormal"> Tom reported that states and provinces are using different flows with different properties</p>
<p class="x_MsoNormal"> For instance, in Colorado, a QR code can be released enabling queries to the Department of Licensing</p>
<p class="x_MsoNormal"> Revocation of the privilege versus revocation of the certificate are different</p>
<p class="x_MsoNormal"> Other kinds of digital IDs are also being issues</p>
<p class="x_MsoNormal"> Fishing licenses, hairdresser licenses, etc.</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">Open Pull Requests</p>
<p class="x_MsoNormal"> <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fpull-requests%2F&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7Ccec1210b94cb4c79088108d952ada85a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637631728094692213%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=nsdIVwf8Y0UspNSAlT5CPWSDfuURrNdbuaLvowigcrM%3D&reserved=0" originalsrc="https://bitbucket.org/openid/connect/pull-requests/" shash="zuFh3dLFp/9YK23rJtj7LW6rNksBZN16LExVeFeDDjwUwGoV8ChPXRHH5g9niQveguJf8uedFVbO5BxmtBN83Pcva0qJpGhBZrpTfT6VIlLBteN6a00yDBleQWQKENNa1rF6DASKcfhqi23em2GUVsojdwunHWPzz79EXMaAxQk=">
https://bitbucket.org/openid/connect/pull-requests/</a></p>
<p class="x_MsoNormal"> We didn't get to Pull Requests</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">Open Issues</p>
<p class="x_MsoNormal"> <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fissues%3Fstatus%3Dnew%26status%3Dopen&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7Ccec1210b94cb4c79088108d952ada85a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637631728094702173%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=bMgcaVCcaRJ5XSzNeoz1FG30up5lPa4kgRO70So4h24%3D&reserved=0" originalsrc="https://bitbucket.org/openid/connect/issues?status=new&status=open" shash="feeiz+JCj0ZlR5BGM6Sxq5XjcLXOOFZPslB4q/dkFvJMhCVcFGHCGBHsjTcKdaeglB/kaa45aGKS9Tw/JtGApEvdtsIK4j/F8yClLLOnUab+vSd3+kKCnktTppgiKxWOWxgumT4zkylGYMYKQCy4ILuRS8+dl+UtRqewb3Nbrvg=">
https://bitbucket.org/openid/connect/issues?status=new&status=open</a></p>
<p class="x_MsoNormal"> #1273: Mitigating security risk by using WebAuthn in cross-device SIOP</p>
<p class="x_MsoNormal"> John spoke to the proposal</p>
<p class="x_MsoNormal"> The QR code approach is easily phishable</p>
<p class="x_MsoNormal"> An ephemeral WebAuthn credential could be part of the solution</p>
<p class="x_MsoNormal"> The FIDO credential could be in the SIOP ID Token JWT to tie the two transactions together</p>
<p class="x_MsoNormal"> CIBA has similar problems</p>
<p class="x_MsoNormal"> The OAuth Device Flow doesn't have these problems because the device (your TV, etc.) is trusted</p>
<p class="x_MsoNormal"> Tim proposed meeting to produce a sequence diagram for this solution</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">Next Call</p>
<p class="x_MsoNormal"> Monday, August 2 at 4pm Pacific Time</p>
</div>
</div>
</body>
</html>