<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

Nat Sakimura</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

Tim Cappalli</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

Michael Barrett</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

Jeremie Miller</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

Tom Jones</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

David Waite</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

Jace Hensley</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

Edmund Jay</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

Brian Richer</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<span style="background-color:rgb(255, 255, 255);display:inline !important">Kristina Yasuda</span><br>

</div>

<div id="divRplyFwdMsg" dir="ltr">

<div> </div>

</div>

<div dir="ltr">

<div style=""><span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;">- Introductions/re-introductions</span><br>

</div>

<div dir="ltr">

<div dir="ltr">

<div dir="ltr">

<div dir="ltr">

<div lang="JA" style="word-wrap:break-word">

<p style="margin-top: 0px; margin-bottom: 0px;margin-top:0px; margin-bottom:0px; margin:0mm">

</p>

<ul>

<li><font face="Calibri, Arial, Helvetica, sans-serif">Jace works at Bloom, involved in a WACI spec</font></li></ul>

<p></p>

<p style="margin-top: 0px; margin-bottom: 0px;margin-top:0px; margin-bottom:0px; margin:0mm">

<span lang="EN-US" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">- Events/External orgs</span></p>

<p style="margin-top: 0px; margin-bottom: 0px;margin-top:0px; margin-bottom:0px; margin:0mm">

<span lang="EN-US" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">     <span style="background-color:rgb(255, 255, 255);display:inline !important"> - DIF Interop WG: call on WACI planned this Thursday - interop testing.

 Note that this call is NOT IPR protected, so anyone can join: </span></span><a href="https://github.com/decentralized-identity/interoperability/blob/master/agenda.md" id="LPlnk441438">https://github.com/decentralized-identity/interoperability/blob/master/agenda.md</a></p>

<p style="margin-top: 0px; margin-bottom: 0px;margin-top:0px; margin-bottom:0px; margin:0mm">

<span lang="EN-US" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">      - DIF Presentation Exchange/OIDF WG call on Wed 11th at 1PM PT</span></p>

<p style="margin-top: 0px; margin-bottom: 0px;margin-top:0px; margin-bottom:0px; margin:0mm">

<span lang="EN-US" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">      - DIF Wallet Security WG re-starting after 3 weeks of holiday break</span></p>

<p style="margin-top: 0px; margin-bottom: 0px;margin-top:0px; margin-bottom:0px; margin:0mm">

<br>

</p>

<div></div>

<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">- PRs</span><br>

</div>

<ul type="disc" style="margin-bottom:0mm; margin-top:0mm">

<li style="margin:0mm 0mm 0mm 24pt"><font color="rgba(0, 0, 0, 0)"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">SIOP V2 introduction and use-cases: </span></font><a href="https://bitbucket.org/openid/connect/pull-requests/41" id="LPlnk696300"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">https://bitbucket.org/openid/connect/pull-requests/41</span></a><br>

</li><ul>

<li style="margin:0mm 0mm 0mm 24pt"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">we agreed to merge this PR</span></li></ul>

<li style="margin:0mm 0mm 0mm 24pt"><span style="margin: 0px; font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">remov</span><span style="margin:0px; font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">ing

 vp_hash in OIDC4VP: </span><a href="https://bitbucket.org/openid/connect/pull-requests/42" id="LPlnk594806"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">https://bitbucket.org/openid/connect/pull-requests/42</span></a></li><ul>

<li style="margin:0mm 0mm 0mm 24pt"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">we agreed to give a little more time to for the review</span></li></ul>

</ul>

</div>

<div lang="JA" style="word-wrap:break-word">

<p style="margin-top: 0px; margin-bottom: 0px;margin-top:0px; margin-bottom:0px; margin:0mm">

<br>

</p>

<p style="margin-top: 0px; margin-bottom: 0px;margin-top:0px; margin-bottom:0px; margin:0mm">

<span style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">- Discussion (great discussion, would encourage to read and take a look at the diagram)</span></p>

<p style="margin-top: 0px; margin-bottom: 0px;margin-top:0px; margin-bottom:0px; margin:0mm">

</p>

<ul>

<li><span style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)"><b>Client_id in SIOP V2</b> </span><a href="https://bitbucket.org/openid/connect/issues/1272/client-identifier-in-siop-when-the-dids" style=""><span style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">https://bitbucket.org/openid/connect/issues/1272/client-identifier-in-siop-when-the-dids</span></a></li><ul>

<li style="margin:0mm"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">We discussed the proposal how client_id can be resolved by SIOP to obtain RP registration metadata</span></li><li style="margin:0mm"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)"><b><span style="background-color:rgb(255, 255, 255);display:inline !important">DW presented the proposal using a sequence diagram</span>: </b><a href="https://hackmd.io/@dwaite/SJRMV4jyY" style="margin:0px"><b>https://hackmd.io/@dwaite/SJRMV4jyY</b></a></span></li><ul>

<li style="margin:0mm"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Describes how to use Entity Statements defined in OpenID Federation spec with SIOP: <a href="https://openid.net/specs/openid-connect-federation-1_0.html#rfc.section.5" style="margin:0px;font-size:14px;font-family:"Segoe UI", "Segoe UI Web (West European)", "Segoe UI", -apple-system, BlinkMacSystemFont, Roboto, "Helvetica Neue", sans-serif;background-color:rgb(255, 255, 255)"><span style="margin:0px;font-size:12pt;font-family:Calibri, Arial, Helvetica, sans-serif">https://openid.net/specs/openid-connect-federation-1_0.html</span></a> (Sections

 5, 6, 7, 9 are most relevant)</span></li><li style="margin:0mm"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Entity Statement (ES) is 1/ self-signed; 2/ can be about RP (conventionally used to be about OP); 3/ can have a chain of authority

 (supports trust frameworks and federations of parties who have agreed to certain terms, etc.), so that they allow just-in-time registration when interaction occurs.</span></li><li style="margin:0mm"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">signed request objects are mandated for automatic registration (clarification for the OpenID Fed team pending)</span></li><li style="margin:0mm"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">The diagram would not change even if DIDs are used instead of ES!</span></li></ul>

<li style="margin:0mm"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Registration parameter in SIOP right now does not give authoritative metadata like ES would</span></li><li style="margin:0mm"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">OpenID Federation does not limit authorities to HTTPS, so it only needs a way to resolve to an ES, and does not need to be hosted - would work

 for custom URLs or HTTPS universal links</span></li><ul>

<li style="margin:0mm"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">Minimal SIOP implementation does not need to require resolving authority_hint in ES and going up the trust chain</span></li></ul>

<li style="margin:0mm"><span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;">using

</span><span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;">Automatic Registration section of </span><span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;">OpenID

 Federation and DID Resolution section of </span><span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;">DID-CORE </span><span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;">would

 address comments made during the las</span><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">t call to be careful with clarifying expected behaviour with this new usage of client_id</span><br>

</li><li style="margin:0mm"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Issues to be filed (DW)</span></li><ul>

<li style="margin:0mm"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">1. Remove registration parameters in SIOP V2, as it opens up a security hole, and since Automatic Registration would be a better defined,

 more secure mechanism. </span></li><ul>

<li style="margin:0mm"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Registration parameter allows to declare additional redirect_uris to override legitimate ones in the request object.</span></li></ul>

<li style="margin:0mm"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">2. SIOP metadata discovery (simplified version of OpenID Federation Metadata ES)</span></li><ul>

<li style="margin:0mm"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">no OP jwks</span><br>

</li><li style="margin:0mm"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">should be only one metadata file per SIOP</span></li></ul>

<li style="margin:0mm"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">3. define a more abstract mechanism for resolving a subject identifier of a SIOP (currently jwk thumbprint or DID) inspired by OpendID

 Federation ES </span></li><ul>

<li style="margin:0mm"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">with an expectation that JWK set is available after the resolution. define as algorithms that can be used with the existing crypto

 tools</span></li><li style="margin:0mm"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">might include Solid, OpenID Connect Web fingerprint, etc. ?</span></li></ul>

</ul>

</ul>

</ul>

<p style="margin-top: 0px; margin-bottom: 0px;margin-top:0px; margin-bottom:0px">

</p>

<p style="margin-top: 0px; margin-bottom: 0px;margin-top:0px; margin-bottom:0px; margin:0mm">

</p>

<p style="margin-top: 0px; margin-bottom: 0px;margin-top:0px; margin-bottom:0px; margin:0mm">

<span style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">Issues</span><br>

</p>

<ul type="disc" style="margin-bottom:0mm">

<li style="margin:0mm"><span style=""><span lang="EN-US" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">SIOP</span></span><span lang="EN-US" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)"> V</span><span lang="EN-US" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">2</span></li><ul>

<li style="margin:0mm"><span style="display:inline!important; font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">Security Considerations: </span><span style="display:inline!important"><a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fissues%2F1269%2Fadd-security-considerations-for-cross&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7C0e97c31cf7894a31be4508d950d34339%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637629690781019460%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=okTAjch1DqHOvE3Su34gY%2FeU1sUryxrvS7FcBXlw%2FOA%3D&reserved=0" originalsrc="https://bitbucket.org/openid/connect/issues/1269/add-security-considerations-for-cross" shash="S1Jd6g5h/qYvvebL/jkrYk8vHmLiSajJhTY7l9yaqPV6DNqs+5rhWDa9VbhE2xGicJkDSi9iMAQXlXcSUOrb0HjQRfwc3N3CB8a6/AA5rlv9ExQ/vB4HTTqXHHiO8dcw06ShSVQ/1TQdaaH8Vd/r4kZyqqSRNyLJRavfrHsataM=" id="LPlnk"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">https://bitbucket.org/openid/connect/issues/1269/add-security-considerations-for-cross</span></a></span></li><ul>

<li style="margin:0mm"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">Kristina shared a preliminary list of security attacks and mitigations identified so far</span></li><ul>

<li style="margin:0mm"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">Credential phishing, SIOP phishing (relay of a QR code), Open redirect, POST where the content becomes public, Server-side request forgery </span></li></ul>

</ul>

<li style="margin:0mm"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Using WebAuthn to mitigate cross-device SIOP security risk: </span><a href="https://bitbucket.org/openid/connect/issues/1273/mitigating-security-risk-by-using-webauthn" id="LPlnk"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">https://bitbucket.org/openid/connect/issues/1273/mitigating-security-risk-by-using-webauthn</span></a></li><ul>

<li style="margin:0mm"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Tim said that a small group has met and they plan to share the outcome of the discussion soo</span>n.</li></ul>

</ul>

</ul>

<ul type="disc" style="margin-bottom:0mm">

<ul>

<li style="display:block">

<div class="_Entity _EType_OWALinkPreview _EId_OWALinkPreview _EReadonly_1"></div>

</li></ul>

</ul>

<p style="margin-top: 0px; margin-bottom: 0px;margin-top:0px; margin-bottom:0px; margin:0mm">

<span lang="EN-US" style=""><span style="margin:0px; display:inline!important"><br>

</span></span></p>

<p style="margin-top: 0px; margin-bottom: 0px;margin-top:0px; margin-bottom:0px; margin:0mm">

<span lang="EN-US" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">Best,</span></p>

<p style="margin-top: 0px; margin-bottom: 0px;margin-top:0px; margin-bottom:0px; margin:0mm">

<span lang="EN-US" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">Kristina</span><span lang="EN-US" style=""></span></p>

<p style="margin-top: 0px; margin-bottom: 0px;margin-top:0px; margin-bottom:0px; margin:0mm">

<span lang="EN-US" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)"> </span></p>

<p style="margin-top: 0px; margin-bottom: 0px;margin-top:0px; margin-bottom:0px; margin:0mm">

<span lang="EN-US" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)"> </span><span lang="EN-US" style=""><br>

<br>

</span></p>

</div>

</div>

</div>

</div>

</div>

</div>

</body>

</html>