<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Spec Call Notes 14-Feb-22<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Nat Sakimura<o:p></o:p></p>
<p class="MsoNormal">David Waite<o:p></o:p></p>
<p class="MsoNormal">Vittorio Bertocci<o:p></o:p></p>
<p class="MsoNormal">Kristina Yasuda<o:p></o:p></p>
<p class="MsoNormal">Tom Jones<o:p></o:p></p>
<p class="MsoNormal">Edmund Jay<o:p></o:p></p>
<p class="MsoNormal">David Waite<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Issues<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open">
https://bitbucket.org/openid/connect/issues?status=new&status=open</a><o:p></o:p></p>
<p class="MsoNormal"> #1400: Issuer Handling in SIOP<o:p></o:p></p>
<p class="MsoNormal"> Also see PR #120: Issuer Handling SIOP<o:p></o:p></p>
<p class="MsoNormal"> Vittorio wants us to enumerate use cases where the values might be different<o:p></o:p></p>
<p class="MsoNormal"> He's asking for clarity - not pushing back on potentially doing it<o:p></o:p></p>
<p class="MsoNormal"> Kristina pointed out that in SIOP v1, the "sub" was the key, whereas the "iss" was the constant
<a href="https://self-issued.me/">https://self-issued.me/</a><o:p></o:p></p>
<p class="MsoNormal"> Kristina said that use cases for multiple accounts are absolutely valid<o:p></o:p></p>
<p class="MsoNormal"> Kristina said that we might provide information about software, certification, etc. via an attestation<o:p></o:p></p>
<p class="MsoNormal"> Vittorio said that we already have "iss" and "sub" as distinct entities, which we can already use<o:p></o:p></p>
<p class="MsoNormal"> A fundamental point in traditional OpenID Connect is the ability to acquire a key via the issuer<o:p></o:p></p>
<p class="MsoNormal"> Making "iss" == "sub" moves us in this direction<o:p></o:p></p>
<p class="MsoNormal"> Vittorio suggested that we need guidance on *why* to use different features - not just implement the cartesian product of possibilities<o:p></o:p></p>
<p class="MsoNormal"> DW said that in traditional OpenID Connect, "iss" can be used to judge the reputation of the issuer<o:p></o:p></p>
<p class="MsoNormal"> He said that in OpenID Connect Federation, there's a whole resolvable tree of reputation information<o:p></o:p></p>
<p class="MsoNormal"> DW said that Ping was intending to use the issuer to identify a trust framework<o:p></o:p></p>
<p class="MsoNormal"> He agreed to file an issue comment about that<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Claims Aggregation Spec<o:p></o:p></p>
<p class="MsoNormal"> Edmund reports that he's merged some of the PRs<o:p></o:p></p>
<p class="MsoNormal"> New issue #1435: Listing of of individual claimset claims instead of single list of claims<o:p></o:p></p>
<p class="MsoNormal"> Mike suggested that we use the existing "claims_supported" metadata element<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">More Open Issues<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open">
https://bitbucket.org/openid/connect/issues?status=new&status=open</a><o:p></o:p></p>
<p class="MsoNormal"> #1429: Replace JWK Thumbprint URI with JWK URI<o:p></o:p></p>
<p class="MsoNormal"> We reviewed the issue comments<o:p></o:p></p>
<p class="MsoNormal"> Mike doesn't want to break the invariant that "sub" is the primary key identifying the account<o:p></o:p></p>
<p class="MsoNormal"> In SIOP v1, we defined JWK Thumbprint so that there was a limited-size stable "sub" identifier<o:p></o:p></p>
<p class="MsoNormal"> For some post-quantum algorithms, the keys are huge<o:p></o:p></p>
<p class="MsoNormal"> DW said that even for RSA keys, JWK URIs wouldn't necessarily fit into usable ID Tokens due to browser URL limitations<o:p></o:p></p>
<p class="MsoNormal"> Mike (not as chair) said that he doesn't see sufficient support for doing this because of all that it breaks, so we should close the issue in a week<o:p></o:p></p>
<p class="MsoNormal"> DW said that this wouldn't be a replacement for JWK Thumbprint URIs - that it would be an option alongside the others<o:p></o:p></p>
<p class="MsoNormal"> Nat (as chair) said that we might close this if there isn't sufficient support soon<o:p></o:p></p>
<p class="MsoNormal"> There was a discussion about key rotation, which using a key (or key thumbprint) as the identifier doesn't support<o:p></o:p></p>
<p class="MsoNormal"> #1434: Dubious support for authentication<o:p></o:p></p>
<p class="MsoNormal"> Kristina said that there's confusion between the user identifier in the ID Token and the user identifier in a VC<o:p></o:p></p>
<p class="MsoNormal"> Kristina said that David Chadwick may be thinking of use cases where the OP is also the issuer of a VC<o:p></o:p></p>
<p class="MsoNormal"> Vittorio said that we've decoupled identity from credentials<o:p></o:p></p>
<p class="MsoNormal"> "We decoupled the subject identification from the raw credentials necessary to identify/authenticate"<o:p></o:p></p>
<p class="MsoNormal"> And that we introduce confusion when we mix them together<o:p></o:p></p>
<p class="MsoNormal"> Nat said that David's issue seems to be conflating user authentication and claims about that user<o:p></o:p></p>
<p class="MsoNormal"> Claims about the user are usually not sufficient to authenticate the user<o:p></o:p></p>
<p class="MsoNormal"> Nat said that we cannot use the VC as proof of user authentication<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">OSW<o:p></o:p></p>
<p class="MsoNormal"> Registration has opened for the OAuth Security Workshop<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://oauth.secworkshop.events/osw2022">
https://oauth.secworkshop.events/osw2022</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next Call<o:p></o:p></p>
<p class="MsoNormal"> The next call will be a SIOP special topic call on Thursday, February 17, 2022, at 7am Pacific Time<o:p></o:p></p>
</div>
</body>
</html>