<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Spec Call Notes 16-Jun-22<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Giuseppe De Marco<o:p></o:p></p>
<p class="MsoNormal">Filip Skokan<o:p></o:p></p>
<p class="MsoNormal">Rifaat Shekh-Yusef<o:p></o:p></p>
<p class="MsoNormal">Brian Campbell<o:p></o:p></p>
<p class="MsoNormal">Bjorn Hjelm<o:p></o:p></p>
<p class="MsoNormal">David Chadwick<o:p></o:p></p>
<p class="MsoNormal">David Waite (DW)<o:p></o:p></p>
<p class="MsoNormal">Tom Jones<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Federation Developments<o:p></o:p></p>
<p class="MsoNormal"> Roland and Giuseppe presented in Rome on Friday on the Italian OpenID Connect Federations to many Italian federation operators<o:p></o:p></p>
<p class="MsoNormal"> They presented to the TNC conference on Tuesday<o:p></o:p></p>
<p class="MsoNormal"> Spec refinements continue based on feedback - particularly feedback from implementers<o:p></o:p></p>
<p class="MsoNormal"> Among others, from Taka and Vladimir<o:p></o:p></p>
<p class="MsoNormal"> We are adding additional security considerations<o:p></o:p></p>
<p class="MsoNormal"> There are 13 open issues at present<o:p></o:p></p>
<p class="MsoNormal"> The Italian authorities plan to have their first trust anchor up by the end of July<o:p></o:p></p>
<p class="MsoNormal"> They need the spec to be very stable by September<o:p></o:p></p>
<p class="MsoNormal"> Attribute authorities are rolling out, based on OAuth Token Exchange<o:p></o:p></p>
<p class="MsoNormal"> The Italian cabinet is closely following the rollout<o:p></o:p></p>
<p class="MsoNormal"> A second Italian federation will roll out between December and March<o:p></o:p></p>
<p class="MsoNormal"> Their legacy SAML deployments will also work for years<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">IETF 114 is Upcoming<o:p></o:p></p>
<p class="MsoNormal"> Rifaat reported on IETF OAuth plans<o:p></o:p></p>
<p class="MsoNormal"> There are two OAuth sessions and two side meetings scheduled<o:p></o:p></p>
<p class="MsoNormal"> There will be OAuth 2.1 and browser-based applications presentations<o:p></o:p></p>
<p class="MsoNormal"> There will be a discussion of step-up authentication<o:p></o:p></p>
<p class="MsoNormal"> Someone from GitHub will be talking to us about token theft<o:p></o:p></p>
<p class="MsoNormal"> Rifaat will talk about the Multi-Subject JWT draft<o:p></o:p></p>
<p class="MsoNormal"> Kristina will be talking about Selective Disclosure JWTs<o:p></o:p></p>
<p class="MsoNormal"> Brian might be talking about DPoP<o:p></o:p></p>
<p class="MsoNormal"> Brian is looking at Rifaat's shepherd review comments<o:p></o:p></p>
<p class="MsoNormal"> Perhaps Daniel will be talking about the Security BCP<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">COSE<o:p></o:p></p>
<p class="MsoNormal"> Two calls for working group adoption are open<o:p></o:p></p>
<p class="MsoNormal"> [COSE] Call for adoption of draft-looker-cose-cwt-claims-in-headers-00<o:p></o:p></p>
<p class="MsoNormal"> [COSE] Call for adoption of draft-looker-cose-bls-key-representations-00<o:p></o:p></p>
<p class="MsoNormal"> Both specs are led by Tobias Looker, with Mike assisting<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">JSON Web Proofs (JWPs) BoF Request<o:p></o:p></p>
<p class="MsoNormal"> A BoF has been tentatively approved for IETF 114<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://datatracker.ietf.org/doc/bofreq-miller-json-web-proofs/">
https://datatracker.ietf.org/doc/bofreq-miller-json-web-proofs/</a><o:p></o:p></p>
<p class="MsoNormal"> The JWP specs were incubated in DIF Applied Cryptography WG<o:p></o:p></p>
<p class="MsoNormal"> The W3C VC WG V2 also wants this standardized<o:p></o:p></p>
<p class="MsoNormal"> The BoF requests reforming the JOSE WG<o:p></o:p></p>
<p class="MsoNormal"> Filip suggests including new algorithm registrations in the JOSE re-charter<o:p></o:p></p>
<p class="MsoNormal"> Mike suggested that Filip create a PR for the charter<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Post-Quantum Cryptography<o:p></o:p></p>
<p class="MsoNormal"> Tom Jones asked about post-quantum cryptography work<o:p></o:p></p>
<p class="MsoNormal"> Orie Steele and Mike Prorock have a draft that proposes registering algorithm identifiers<o:p></o:p></p>
<p class="MsoNormal"> for the NIST proposed post-quantum algorithms<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Issues<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open">
https://bitbucket.org/openid/connect/issues?status=new&status=open</a><o:p></o:p></p>
<p class="MsoNormal"> #1524: Is it OpenID Connect Core when Authorization Request is sent to the OP without using redirects via a user agent?<o:p></o:p></p>
<p class="MsoNormal"> Tom asked us to talk about this issue<o:p></o:p></p>
<p class="MsoNormal"> David Chadwick said that 18013-5 extends the Core spec<o:p></o:p></p>
<p class="MsoNormal"> We agreed to defer discussion of this until the SIOP call so more people knowledgeable of the ISO work can participate<o:p></o:p></p>
<p class="MsoNormal"> #1530: Core - c_hash and at_hash parameters<o:p></o:p></p>
<p class="MsoNormal"> Filip will add a comment explaining the context of these parameters<o:p></o:p></p>
<p class="MsoNormal"> #1511: Determining if an RP is a member of a trust federation<o:p></o:p></p>
<p class="MsoNormal"> Mike assigned this issue to the Federation category<o:p></o:p></p>
<p class="MsoNormal"> Giuseppe volunteered to review this<o:p></o:p></p>
<p class="MsoNormal"> David Chadwick stated that administrative trust is different than cryptographic trust<o:p></o:p></p>
<p class="MsoNormal"> Giuseppe stated that the Trust Anchor is the representation of the Federation Authority<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Pull Requests<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/pull-requests/">
https://bitbucket.org/openid/connect/pull-requests/</a><o:p></o:p></p>
<p class="MsoNormal"> (We ran out of time to discuss pull requests)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next Call<o:p></o:p></p>
<p class="MsoNormal"> The next call will be on Monday, June 20, 2022 at 4pm Pacific Time<o:p></o:p></p>
</div>
</body>
</html>