<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">SIOP Special Call Notes 20-Jan-22<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Kristina Yasuda<o:p></o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">David Chadwick<o:p></o:p></p>
<p class="MsoNormal">Thomas Bellebaum<o:p></o:p></p>
<p class="MsoNormal">Petteri Stenius<o:p></o:p></p>
<p class="MsoNormal">Gail Hodges<o:p></o:p></p>
<p class="MsoNormal">Joseph Heenan<o:p></o:p></p>
<p class="MsoNormal">Torsten Lodderstedt<o:p></o:p></p>
<p class="MsoNormal">Giuseppe De Marco<o:p></o:p></p>
<p class="MsoNormal">Kenichi Nakamura<o:p></o:p></p>
<p class="MsoNormal">Oliver Terbu<o:p></o:p></p>
<p class="MsoNormal">Daniel Fett<o:p></o:p></p>
<p class="MsoNormal">Jo Vercammen<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Pull Requests<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/pull-requests/">
https://bitbucket.org/openid/connect/pull-requests/</a><o:p></o:p></p>
<p class="MsoNormal"> PR #101: Fetching presentation definitions from a remote repository<o:p></o:p></p>
<p class="MsoNormal"> Approved by Torsten, comments by Kristina<o:p></o:p></p>
<p class="MsoNormal"> David to update<o:p></o:p></p>
<p class="MsoNormal"> PR #107: Support for federations using the termsOfUse property<o:p></o:p></p>
<p class="MsoNormal"> This is intended to address issue #1341<o:p></o:p></p>
<p class="MsoNormal"> Torsten said that this should be an Implementation Consideration - not normative text<o:p></o:p></p>
<p class="MsoNormal"> Torsten will add this as a comment to the PR<o:p></o:p></p>
<p class="MsoNormal"> Torsten asked David to add a PE example<o:p></o:p></p>
<p class="MsoNormal"> PR #50: Response-as-Push<o:p></o:p></p>
<p class="MsoNormal"> Jeremie declined this PR<o:p></o:p></p>
<p class="MsoNormal"> He plans to instead create an IETF draft doing this<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Strategic Directions for SIOP<o:p></o:p></p>
<p class="MsoNormal"> Gail reviewed a slide created by the board strategic planning task force about the SIOP work<o:p></o:p></p>
<p class="MsoNormal"> She sent the slide to the working group<o:p></o:p></p>
<p class="MsoNormal"> She reviewed relevant liaison relationships<o:p></o:p></p>
<p class="MsoNormal"> We're considering writing a whitepaper targeted at ecosystem leaders<o:p></o:p></p>
<p class="MsoNormal"> Several people thought this would be a good idea<o:p></o:p></p>
<p class="MsoNormal"> We don't have a candidate author in mind yet<o:p></o:p></p>
<p class="MsoNormal"> She asked if SIOP should be more prominently featured on our Web site<o:p></o:p></p>
<p class="MsoNormal"> Mike and Torsten supported doing this<o:p></o:p></p>
<p class="MsoNormal"> She asked if SIOP should remain subordinate to Connect<o:p></o:p></p>
<p class="MsoNormal"> Torsten stated that effectively, it's a distinct work stream already, with its own calls<o:p></o:p></p>
<p class="MsoNormal"> Torsten said that SIOP may not be the best term<o:p></o:p></p>
<p class="MsoNormal"> He said that Kristina and he sometimes refer to the work as OIDC4SSI<o:p></o:p></p>
<p class="MsoNormal"> Mike said that he doesn't see a problem that would be solved by creating a new working group<o:p></o:p></p>
<p class="MsoNormal"> Mike pointed out that if we form a new working group, every participant would have to sign a new IPR agreement<o:p></o:p></p>
<p class="MsoNormal"> Jo said that we have a perception problem<o:p></o:p></p>
<p class="MsoNormal"> He said that some other groups are assuming DIDComm as a protocol rather than considering OpenID Connect<o:p></o:p></p>
<p class="MsoNormal"> Torsten agreed that we should work on the perception problem<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Issues<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open">
https://bitbucket.org/openid/connect/issues?status=new&status=open</a><o:p></o:p></p>
<p class="MsoNormal"> #1377: Credential Issuance: Generalize specification so it works with generalized forms of Identities<o:p></o:p></p>
<p class="MsoNormal"> Thomas wants to also be able to issue credentials about devices<o:p></o:p></p>
<p class="MsoNormal"> He's thinking about using the OAuth Client Credentials flow, since it's non-interactive<o:p></o:p></p>
<p class="MsoNormal"> He would use key-based authentication<o:p></o:p></p>
<p class="MsoNormal"> Torsten would like the use case to be written up<o:p></o:p></p>
<p class="MsoNormal"> Mike said that this would be a significant increase of scope, which we should explicitly decide whether to do<o:p></o:p></p>
<p class="MsoNormal"> Torsten agreed with this<o:p></o:p></p>
<p class="MsoNormal"> #1399: SIOP with any OIDC flow<o:p></o:p></p>
<p class="MsoNormal"> Torsten said that there are wallets that have the ability to expose endpoints<o:p></o:p></p>
<p class="MsoNormal"> This would enable them to use other flows, such as the Code flow or CIBA<o:p></o:p></p>
<p class="MsoNormal"> Torsten said that the main thing that differs with these other flows is the trust model<o:p></o:p></p>
<p class="MsoNormal"> He said that we could relax things a bit to enable use of SIOP with other flows<o:p></o:p></p>
<p class="MsoNormal"> Mike asked whether this would be an expansion of the use cases we're trying to solve or not<o:p></o:p></p>
<p class="MsoNormal"> Torsten said that he doesn't think this would be an expansion of our scope<o:p></o:p></p>
<p class="MsoNormal"> Torsten said that it would be an expansion of the mechanisms we support<o:p></o:p></p>
<p class="MsoNormal"> Mike asked whether it would help or hurt interoperability to have six response types to choose from, rather than one<o:p></o:p></p>
<p class="MsoNormal"> Daniel said that the normal security considerations would apply to the normal Connect response types<o:p></o:p></p>
<p class="MsoNormal"> Kristina has heard of people wanting to use CIBA with SIOP<o:p></o:p></p>
<p class="MsoNormal"> Kenichi supports this proposal<o:p></o:p></p>
<p class="MsoNormal"> He spoke about expanding our use cases<o:p></o:p></p>
<p class="MsoNormal"> #1400: Issuer Handling in SIOP<o:p></o:p></p>
<p class="MsoNormal"> Torsten said that there are currently two mechanisms for determining that the OP is a SIOP<o:p></o:p></p>
<p class="MsoNormal"> He's of the impression that we could do better<o:p></o:p></p>
<p class="MsoNormal"> He wants the "iss" claim to identify that the claims are being signed on behalf of the user<o:p></o:p></p>
<p class="MsoNormal"> He's suggesting that the "sub" and "iss" claims have the same values<o:p></o:p></p>
<p class="MsoNormal"> This is true of some other kinds of self-signed data structures, such as self-signed certificates<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">JWK URI Draft<o:p></o:p></p>
<p class="MsoNormal"> David has written a proposed Internet Draft defining a URI passing a JWK by value<o:p></o:p></p>
<p class="MsoNormal"> Kristina pointed out that DW has written a similar draft<o:p></o:p></p>
<p class="MsoNormal"> She suggested that he coordinate with DW plus the JWK Thumbprint URI authors<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next Call<o:p></o:p></p>
<p class="MsoNormal"> The next Connect call will be Monday, January 24th, 2022 at 3pm Pacific Time<o:p></o:p></p>
</div>
</body>
</html>