<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">I made an error in the minutes below. The working group last call for the prompt=create spec was in preparation for advancing it to Final status – not Implementer’s Draft status.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> -- Mike<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Mike Jones <br>
<b>Sent:</b> Thursday, September 22, 2022 12:35 PM<br>
<b>To:</b> openid-specs-ab@lists.openid.net<br>
<b>Subject:</b> Spec Call Notes 22-Sep-22<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Spec Call Notes 22-Sep-22<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Filip Skokan<o:p></o:p></p>
<p class="MsoNormal">David Chadwick<o:p></o:p></p>
<p class="MsoNormal">Joseph Heenan<o:p></o:p></p>
<p class="MsoNormal">Giuseppe De Marco<o:p></o:p></p>
<p class="MsoNormal">George Fletcher<o:p></o:p></p>
<p class="MsoNormal">Mark Haine<o:p></o:p></p>
<p class="MsoNormal">Rifaat Shekh-Yusef<o:p></o:p></p>
<p class="MsoNormal">Brian Campbell<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">prompt=create Specification<o:p></o:p></p>
<p class="MsoNormal"> George updated the spec with non-normative text improvements yesterday<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://openid.net/specs/openid-connect-prompt-create-1_0-05.html">
https://openid.net/specs/openid-connect-prompt-create-1_0-05.html</a><o:p></o:p></p>
<p class="MsoNormal"> The working group last call for Implementer's Draft status completed today<o:p></o:p></p>
<p class="MsoNormal"> We will start the Implementer's Draft review today<o:p></o:p></p>
<p class="MsoNormal"> The prompt_values_supported metadata value was the last addition to the spec<o:p></o:p></p>
<p class="MsoNormal"> Mark Haine said that some use cases of the Identity Assurance draft are asking the IdP to perform an assurance process from scratch<o:p></o:p></p>
<p class="MsoNormal"> We observed there is some semantic overlap with prompt=create<o:p></o:p></p>
<p class="MsoNormal"> George said that this spec sets up the structure to add other prompt values<o:p></o:p></p>
<p class="MsoNormal"> Such as prompt=reverify, which could be added to the IDA-eKYC spec<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Native SSO for Mobile Apps Specification<o:p></o:p></p>
<p class="MsoNormal"> The working group last call for Implementer's Draft status completed today<o:p></o:p></p>
<p class="MsoNormal"> Joseph filed a number of issues<o:p></o:p></p>
<p class="MsoNormal"> George still needs to update the spec accordingly<o:p></o:p></p>
<p class="MsoNormal"> One is to add the requirement to validate the ID Token<o:p></o:p></p>
<p class="MsoNormal"> George found some other things that need clarification<o:p></o:p></p>
<p class="MsoNormal"> Additional reviews are solicited<o:p></o:p></p>
<p class="MsoNormal"> At Identiverse, Okta talked about using it to share state between devices<o:p></o:p></p>
<p class="MsoNormal"> "Frictionless authentication with mobile single-sign-on":
<a href="https://www.youtube.com/watch?v=8BkblIYjegk">https://www.youtube.com/watch?v=8BkblIYjegk</a><o:p></o:p></p>
<p class="MsoNormal"> George asked if we want to keep the scope the same or expand it<o:p></o:p></p>
<p class="MsoNormal"> Mike suggested we go to Implementer's Draft as-is, then discuss possible scope expansion<o:p></o:p></p>
<p class="MsoNormal"> Rifaat volunteered to review the draft<o:p></o:p></p>
<p class="MsoNormal"> Brian asked whether it makes sense to progress this document, given its dormancy<o:p></o:p></p>
<p class="MsoNormal"> George said that there are multiple implementations, including at Yahoo!<o:p></o:p></p>
<p class="MsoNormal"> Mike said that the working group had decided to take it to Implementer's Draft for IPR reasons<o:p></o:p></p>
<p class="MsoNormal"> Then we can decide what the next steps are<o:p></o:p></p>
<p class="MsoNormal"> George said that the pressure from products to reduce user friction continues<o:p></o:p></p>
<p class="MsoNormal"> He said that having something that's been vetted from a security perspective is important<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Public Review Period for Proposed Final Unmet Authentication Requirements Specification<o:p></o:p></p>
<p class="MsoNormal"> The 60-day public review period is under way<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://openid.net/2022/09/09/public-review-period-for-proposed-final-unmet-authentication-requirements-specification/">
https://openid.net/2022/09/09/public-review-period-for-proposed-final-unmet-authentication-requirements-specification/</a><o:p></o:p></p>
<p class="MsoNormal"> Nat privately asked if there were multiple implementations of the spec<o:p></o:p></p>
<p class="MsoNormal"> Mike said he believes that it's referenced from multiple specifications<o:p></o:p></p>
<p class="MsoNormal"> Brian said that it's referenced from the OAuth step-up specification<o:p></o:p></p>
<p class="MsoNormal"> That moved to WGLC today<o:p></o:p></p>
<p class="MsoNormal"> Mike said that he would ask Torsten about implementations if he joins the SIOP Special Topic call in the next hour<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Pull Requests<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/pull-requests/">
https://bitbucket.org/openid/connect/pull-requests/</a><o:p></o:p></p>
<p class="MsoNormal"> PR #303: fix: [Federation] Federation Entity Discovery in the defined terms<o:p></o:p></p>
<p class="MsoNormal"> We updated the term to "Federation Entity Discovery"<o:p></o:p></p>
<p class="MsoNormal"> Merged<o:p></o:p></p>
<p class="MsoNormal"> PR #302 fix: [Federation] Trust Chain explanatory text made easier<o:p></o:p></p>
<p class="MsoNormal"> Giuseppe said that this clarifies the composition of a trust chain<o:p></o:p></p>
<p class="MsoNormal"> The trust chain MAY contain the entity configuration of the trust anchor<o:p></o:p></p>
<p class="MsoNormal"> Waiting for additional approvals - particularly, hopefully Roland and Vladimir<o:p></o:p></p>
<p class="MsoNormal"> PR #306: Updates to Native SSO spec<o:p></o:p></p>
<p class="MsoNormal"> We requested a few changes; George will update<o:p></o:p></p>
<p class="MsoNormal"> PR #304: Fix pre_authorized_code to be pre-authorized_code<o:p></o:p></p>
<p class="MsoNormal"> Merged<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Issues<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open">
https://bitbucket.org/openid/connect/issues?status=new&status=open</a><o:p></o:p></p>
<p class="MsoNormal"> #1637: id_token validation?<o:p></o:p></p>
<p class="MsoNormal"> Joseph talked about missing signature validation<o:p></o:p></p>
<p class="MsoNormal"> We discussed that the ID Token is being unbound for multiple parties<o:p></o:p></p>
<p class="MsoNormal"> Brian said that there is weirdness about audience and expiration that at least needs more explanation<o:p></o:p></p>
<p class="MsoNormal"> George suggested that wording about multiple devices should go into the Security Considerations<o:p></o:p></p>
<p class="MsoNormal"> and that the ID Token Validation description should go into the spec itself<o:p></o:p></p>
<p class="MsoNormal"> #1641 feat: [Federation] endpoint for historical federation jwks<o:p></o:p></p>
<p class="MsoNormal"> Giuseppe said that those doing SAML federations brought up repudiablity of past signatures after keys have been changed<o:p></o:p></p>
<p class="MsoNormal"> He said that this may result in legal problems<o:p></o:p></p>
<p class="MsoNormal"> Giuseppe said they are only proposing to retain past keys for trust anchors<o:p></o:p></p>
<p class="MsoNormal"> People are requested to discuss the issue<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next Call<o:p></o:p></p>
<p class="MsoNormal"> The next call is the SIOP Special Topic call immediately following this call<o:p></o:p></p>
</div>
</body>
</html>