<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Spec Call Notes 6-Dec-21<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Nat Sakimura<o:p></o:p></p>
<p class="MsoNormal">Kristina Yasuda<o:p></o:p></p>
<p class="MsoNormal">Tony Nadalin<o:p></o:p></p>
<p class="MsoNormal">Tom Jones<o:p></o:p></p>
<p class="MsoNormal">Gail Hodges<o:p></o:p></p>
<p class="MsoNormal">Vittorio Bertocci<o:p></o:p></p>
<p class="MsoNormal">Edmund Jay<o:p></o:p></p>
<p class="MsoNormal">David Waite (DW)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Proposed Implementer's Drafts<o:p></o:p></p>
<p class="MsoNormal"> As decided on the 2-Dec-21 call, we're conducting a working group review of these specs between now and Friday:<o:p></o:p></p>
<p class="MsoNormal"> SIOPV2 <a href="https://openid.net/specs/openid-connect-self-issued-v2-1_0.html">
https://openid.net/specs/openid-connect-self-issued-v2-1_0.html</a><o:p></o:p></p>
<p class="MsoNormal"> OIDC4VP <a href="https://openid.net/specs/openid-connect-4-verifiable-presentations-1_0.html">
https://openid.net/specs/openid-connect-4-verifiable-presentations-1_0.html</a><o:p></o:p></p>
<p class="MsoNormal"> The editors will incorporate text addressing comments received between now and then<o:p></o:p></p>
<p class="MsoNormal"> Updated versions will be published and the Foundation-wide Implementer's Draft review will begin<o:p></o:p></p>
<p class="MsoNormal"> Nat requested that Mike send individual notifications of these review periods<o:p></o:p></p>
<p class="MsoNormal"> Kristina merged multiple editorial PRs for OIDC4VP<o:p></o:p></p>
<p class="MsoNormal"> DW's PR #57 on Encrypted ID Tokens for SIOP should be considered<o:p></o:p></p>
<p class="MsoNormal"> Torsten's PR #45 on Additional Security Considerations for OIDC4VP should be considered<o:p></o:p></p>
<p class="MsoNormal"> Kristina will follow up with Torsten<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">ISO PAS Submission<o:p></o:p></p>
<p class="MsoNormal"> Gail noticed that FIDO has been taking their specifications through the ISO Publicly Available Spec process<o:p></o:p></p>
<p class="MsoNormal"> Gail then asked Nat about it, who said that we are interested in it<o:p></o:p></p>
<p class="MsoNormal"> Gail believes that this is a bigger effort than a typical volunteer task<o:p></o:p></p>
<p class="MsoNormal"> Mike asked whether we can guarantee that spec changes will not happen<o:p></o:p></p>
<p class="MsoNormal"> Tony said that it depends<o:p></o:p></p>
<p class="MsoNormal"> Tony said that FIDO is submitting to ITU-T - not ISO<o:p></o:p></p>
<p class="MsoNormal"> Tony said that nothing has come up on ISO CS1 or SC17<o:p></o:p></p>
<p class="MsoNormal"> Nat said that we first need to get ISO PAS submitter status with the secretariat<o:p></o:p></p>
<p class="MsoNormal"> Tony said that ITU-T PAS submission requires reformatting into ITU format<o:p></o:p></p>
<p class="MsoNormal"> Nat said that ISO PAS submission doesn't reformat and submission is pass/fail<o:p></o:p></p>
<p class="MsoNormal"> Tony will be the SC17 liaison with FIDO<o:p></o:p></p>
<p class="MsoNormal"> FIDO's liaison agreement with ISO is in process<o:p></o:p></p>
<p class="MsoNormal"> Our Class C liaison with ISO SC17 is being voted on now<o:p></o:p></p>
<p class="MsoNormal"> Nat said that obtaining PAS submission status isn't that much work<o:p></o:p></p>
<p class="MsoNormal"> It's sent to the JTC1 secretariat<o:p></o:p></p>
<p class="MsoNormal"> Nat said that for the submission to pass, we probably have to be in touch with national bodies to ask them to vote yes<o:p></o:p></p>
<p class="MsoNormal"> Nat said that after submission, there may be pushback from the secretariat<o:p></o:p></p>
<p class="MsoNormal"> Nat said that we have the equivalent of PAS submitter status in ITU-T<o:p></o:p></p>
<p class="MsoNormal"> A4 and A5 status<o:p></o:p></p>
<p class="MsoNormal"> Tony said that he's done that process before<o:p></o:p></p>
<p class="MsoNormal"> Tony said that we would submit to ITU-T Q10 - Security and Identity<o:p></o:p></p>
<p class="MsoNormal"> Mike asked how we would decide whether to submit to ISO or ITU-T<o:p></o:p></p>
<p class="MsoNormal"> Nat said that we can do both<o:p></o:p></p>
<p class="MsoNormal"> Nat said that ISO is important due to mDL<o:p></o:p></p>
<p class="MsoNormal"> Nat said that ISO would be easy for FAPI, since the FAPI specs are already in ISO format<o:p></o:p></p>
<p class="MsoNormal"> We agreed to try to find someone to get ISO PAS submitter status for us<o:p></o:p></p>
<p class="MsoNormal"> Preferably someone already working with both OpenID and ISO<o:p></o:p></p>
<p class="MsoNormal"> Gail would hate to see adoption blocked in some places due to lack of administrative steps on our part<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Pull Requests for Proposed Implementer's Drafts<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/pull-requests/">
https://bitbucket.org/openid/connect/pull-requests/</a><o:p></o:p></p>
<p class="MsoNormal"> #57: Further specify how to use encrypted id_token_hint values<o:p></o:p></p>
<p class="MsoNormal"> Mike reviewed the PR and made suggestions<o:p></o:p></p>
<p class="MsoNormal"> It should follow <a href="https://datatracker.ietf.org/doc/html/rfc7519#section-5.3">
https://datatracker.ietf.org/doc/html/rfc7519#section-5.3</a><o:p></o:p></p>
<p class="MsoNormal"> DW agreed to revise accordingly<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Recertification<o:p></o:p></p>
<p class="MsoNormal"> Gail said that some governments are requiring regular recertification of FAPI deployments<o:p></o:p></p>
<p class="MsoNormal"> For instance, requiring annual recertification<o:p></o:p></p>
<p class="MsoNormal"> Gail asked if the Foundation should have a viewpoint on recertification, which she thought could be valuable<o:p></o:p></p>
<p class="MsoNormal"> It's a problem when the certified product and current product are quite different<o:p></o:p></p>
<p class="MsoNormal"> This issue was discussed by the board strategy task force<o:p></o:p></p>
<p class="MsoNormal"> We'd like to define our viewpoint during 2022<o:p></o:p></p>
<p class="MsoNormal"> One possibility is date-stamped certification logos<o:p></o:p></p>
<p class="MsoNormal"> Mike talked about certifications representing a statement that was true at a point of time<o:p></o:p></p>
<p class="MsoNormal"> He said that we could add comments about recertification in the FAQ<o:p></o:p></p>
<p class="MsoNormal"> He said that we should not try to mandate recertification in any way<o:p></o:p></p>
<p class="MsoNormal"> Vittorio supports issuing badges with the year of the certification as an incentive for recertification<o:p></o:p></p>
<p class="MsoNormal"> He is worried that customers may not look into the certification dates themselves<o:p></o:p></p>
<p class="MsoNormal"> He would not support forcing anyone to recertify<o:p></o:p></p>
<p class="MsoNormal"> Mike said that the current OpenID Certified logo is rarely used<o:p></o:p></p>
<p class="MsoNormal"> So dated logos might be great but only if actually used<o:p></o:p></p>
<p class="MsoNormal"> Vittorio said that we should do more to promote the use of the certification logo<o:p></o:p></p>
<p class="MsoNormal"> Gail wants to include this in our marketing strategy<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We ran out of time for these agenda items<o:p></o:p></p>
<p class="MsoNormal"> Multitenancy<o:p></o:p></p>
<p class="MsoNormal"> Multiple-Device Flows<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Pull Requests<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/pull-requests/">
https://bitbucket.org/openid/connect/pull-requests/</a><o:p></o:p></p>
<p class="MsoNormal"> We ran out of time to consider pull requests<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Issues<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open">
https://bitbucket.org/openid/connect/issues?status=new&status=open</a><o:p></o:p></p>
<p class="MsoNormal"> We ran out of time to consider open issues<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next Call<o:p></o:p></p>
<p class="MsoNormal"> The next call is the SIOP Special Topic call on Thursday, December 9th at 7am Pacific Time<o:p></o:p></p>
</div>
</body>
</html>