<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Spec Call Notes 19-May-22<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Giuseppe De Marco<o:p></o:p></p>
<p class="MsoNormal">Vittorio Bertocci<o:p></o:p></p>
<p class="MsoNormal">Monty Wiseman<o:p></o:p></p>
<p class="MsoNormal">Takahiko Kawasaki<o:p></o:p></p>
<p class="MsoNormal">Rifaat Shekh-Yusef<o:p></o:p></p>
<p class="MsoNormal">Nat Sakimura<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Logout PRs and Issues<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/pull-requests/">
https://bitbucket.org/openid/connect/pull-requests/</a><o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open&component=Logout">
https://bitbucket.org/openid/connect/issues?status=new&status=open&component=Logout</a><o:p></o:p></p>
<p class="MsoNormal"> #1491: Do we want to communicate details of why a back-channel logout failed?<o:p></o:p></p>
<p class="MsoNormal"> PR #177 filed to address this issue<o:p></o:p></p>
<p class="MsoNormal"> PR #177: Added optional 'error' and 'error_description' values to error responses<o:p></o:p></p>
<p class="MsoNormal"> Nat suggested that we ask Tom what security vulnerability he perceives<o:p></o:p></p>
<p class="MsoNormal"> Filip said that if there's only one error code, there's no point in doing this<o:p></o:p></p>
<p class="MsoNormal"> He suggested that we say that this is for implementers<o:p></o:p></p>
<p class="MsoNormal"> Giuseppe said that the ability to provide error_description values can improve the user experience<o:p></o:p></p>
<p class="MsoNormal"> It's an accessibility feature<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Federation PRs and Issues<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/pull-requests/">
https://bitbucket.org/openid/connect/pull-requests/</a><o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open&component=Federation">
https://bitbucket.org/openid/connect/issues?status=new&status=open&component=Federation</a><o:p></o:p></p>
<p class="MsoNormal"> PR #172: fix: [Federation] removed trust_mark claim from federation entity metadata<o:p></o:p></p>
<p class="MsoNormal"> Per Giuseppe, Roland confirmed that it was an error to have it here<o:p></o:p></p>
<p class="MsoNormal"> We agreed to merge this<o:p></o:p></p>
<p class="MsoNormal"> PR #171: feat: [Federation] added trust_chain in resolve endpoint and removed is_leaf in list endpoint<o:p></o:p></p>
<p class="MsoNormal"> This removes is_leaf and the audience<o:p></o:p></p>
<p class="MsoNormal"> It removes "aud" since this endpoint is not protected by client authentication<o:p></o:p></p>
<p class="MsoNormal"> We agreed to merge this<o:p></o:p></p>
<p class="MsoNormal"> PR #166: feat: [Federation] jwks claim in OP metadata<o:p></o:p></p>
<p class="MsoNormal"> Roland and Mike have agreed that having this makes sense<o:p></o:p></p>
<p class="MsoNormal"> Giuseppe and the Italian deployers want the responses to be self-contained<o:p></o:p></p>
<p class="MsoNormal"> He noted that Dynamic Client Registration has both "jwks" and "jwks_uri"<o:p></o:p></p>
<p class="MsoNormal"> We agreed to merge<o:p></o:p></p>
<p class="MsoNormal"> PR #174: fix: [Federation] OP metadata - removed the claim jwks<o:p></o:p></p>
<p class="MsoNormal"> This is contradictory to #166<o:p></o:p></p>
<p class="MsoNormal"> We agreed to decline this one<o:p></o:p></p>
<p class="MsoNormal"> #1498: [Federation][Metadata] Redefinition of signed_jwks_uri<o:p></o:p></p>
<p class="MsoNormal"> Giuseppe said that this can be closed<o:p></o:p></p>
<p class="MsoNormal"> He realizes that JWK Sets can be updated at any time<o:p></o:p></p>
<p class="MsoNormal"> We agreed to close this<o:p></o:p></p>
<p class="MsoNormal"> #1485: [Resolve Entity Endpoint] dynamic propagation of metadata renewal<o:p></o:p></p>
<p class="MsoNormal"> The resolve endpoint is a public endpoint<o:p></o:p></p>
<p class="MsoNormal"> The issue proposes that resolution must not trigger additional metadata discovery<o:p></o:p></p>
<p class="MsoNormal"> That the data must be retrieved from the cache<o:p></o:p></p>
<p class="MsoNormal"> Roland had said in a comment that this would overly constrain implementations<o:p></o:p></p>
<p class="MsoNormal"> Giuseppe agreed to close this with a comment<o:p></o:p></p>
<p class="MsoNormal"> #1446: [Federation][list endpoint] Listing by type<o:p></o:p></p>
<p class="MsoNormal"> This will be closed by PR #171<o:p></o:p></p>
<p class="MsoNormal"> PR #160: Defined request_authentication_signing_alg_values_supported<o:p></o:p></p>
<p class="MsoNormal"> We agreed to merge this one<o:p></o:p></p>
<p class="MsoNormal"> PR #165: request_authentication_methods_supported<o:p></o:p></p>
<p class="MsoNormal"> This appears to be clarifications - not normative changes<o:p></o:p></p>
<p class="MsoNormal"> Giuseppe agreed to review this, as did Mike<o:p></o:p></p>
<p class="MsoNormal"> We will merge this after two positive reviews<o:p></o:p></p>
<p class="MsoNormal"> #1479: [Federation][OP Metadata] jwks claim<o:p></o:p></p>
<p class="MsoNormal"> Will be fixed by PR #166<o:p></o:p></p>
<p class="MsoNormal"> #1493: [Federation] Devise mechanism for policy metadata to enforce entity type(s) of subordinates<o:p></o:p></p>
<p class="MsoNormal"> Waiting for a write-up by Vladimir<o:p></o:p></p>
<p class="MsoNormal"> #1497: [Federation] trust_marks claim shouldn't be defined in the federation entity metadata<o:p></o:p></p>
<p class="MsoNormal"> Will be fixed by PR #172<o:p></o:p></p>
<p class="MsoNormal"> #1489: [Federation][Resolve entity endpoint] feat: trust_chain claim as OPTIONAL<o:p></o:p></p>
<p class="MsoNormal"> Will be fixed by PR #171<o:p></o:p></p>
<p class="MsoNormal"> #1477: request_authentication_methods_supported inconsistently defined<o:p></o:p></p>
<p class="MsoNormal"> Will be fixed by PR #165<o:p></o:p></p>
<p class="MsoNormal"> #1494: [Federation][resolve entity endpoint] proof of the jwks collected from jwks_uri or signed_jwks_uri<o:p></o:p></p>
<p class="MsoNormal"> Will be closed when we add the "jwks" claim to the metadata in PR #166<o:p></o:p></p>
<p class="MsoNormal"> #1432: Why does resolver sign entity statement?<o:p></o:p></p>
<p class="MsoNormal"> Requires spec updates to provide more background information<o:p></o:p></p>
<p class="MsoNormal"> Giuseppe said that this is related to another issue<o:p></o:p></p>
<p class="MsoNormal"> #1456: scopes metadata parameter needs to be defined<o:p></o:p></p>
<p class="MsoNormal"> We should add this clarification to the spec<o:p></o:p></p>
<p class="MsoNormal"> #1445: Add section on use of Resolvers<o:p></o:p></p>
<p class="MsoNormal"> Requires spec updates to provide more background information<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next Call<o:p></o:p></p>
<p class="MsoNormal"> The next call will be on Monday, May 23, 2022 at 4pm Pacific Time<o:p></o:p></p>
</div>
</body>
</html>