<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">SIOP Special Topic Call Notes 29-Sep-22<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Petteri Stenius<o:p></o:p></p>
<p class="MsoNormal">David Chadwick<o:p></o:p></p>
<p class="MsoNormal">Kristina Yasuda<o:p></o:p></p>
<p class="MsoNormal">Brian Campbell<o:p></o:p></p>
<p class="MsoNormal">Kenichi Nakamura<o:p></o:p></p>
<p class="MsoNormal">Gail Hodges<o:p></o:p></p>
<p class="MsoNormal">George Fletcher<o:p></o:p></p>
<p class="MsoNormal">David Waite (DW)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Joseph Heenan<o:p></o:p></p>
<p class="MsoNormal">Torsten Lodderstedt<o:p></o:p></p>
<p class="MsoNormal">Bjorn Hjelm<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Planning for Implementer's Drafts<o:p></o:p></p>
<p class="MsoNormal"> Kristina reviewed our plans to move to new Implementer's Drafts<o:p></o:p></p>
<p class="MsoNormal"> For SIOPv2 and OpenID4VP there aren't big issues to be resolved before the next Implementer's Drafts<o:p></o:p></p>
<p class="MsoNormal"> Editorial cleanups, etc. are planned<o:p></o:p></p>
<p class="MsoNormal"> For OpenID4VCI, there's increasing interest in the work by others<o:p></o:p></p>
<p class="MsoNormal"> For instance, by DIF<o:p></o:p></p>
<p class="MsoNormal"> We want an Implementer's Draft to signify stability and convey IPR protection<o:p></o:p></p>
<p class="MsoNormal"> Three big issues to resolve before going to Implementer's Draft:<o:p></o:p></p>
<p class="MsoNormal"> Structure of issuer's metadata: PR #240<o:p></o:p></p>
<p class="MsoNormal"> Separating the resource server metadata file (or not) - multiple issues<o:p></o:p></p>
<p class="MsoNormal"> Multiple issuance endpoint<o:p></o:p></p>
<p class="MsoNormal"> Also "cnonce", attestations, etc., which we may park until we get feedback from implementers<o:p></o:p></p>
<p class="MsoNormal"> David said that there's still no way for a wallet to indicate exactly what it wants<o:p></o:p></p>
<p class="MsoNormal"> For instance, only one of multiple degrees from a university<o:p></o:p></p>
<p class="MsoNormal"> Kristina said that these are related to the multiple issuance endpoint and metadata<o:p></o:p></p>
<p class="MsoNormal"> It's up to the issuer to decide what's mandatory and optional - not the wallet<o:p></o:p></p>
<p class="MsoNormal"> Gail reported that the California DMV is planning to use all three specifications<o:p></o:p></p>
<p class="MsoNormal"> They are moving very quickly<o:p></o:p></p>
<p class="MsoNormal"> Kristina asked David Chadwick to circulate a demo to the working group that he's been showing<o:p></o:p></p>
<p class="MsoNormal"> David C. reported that Joseph Heenan has done an initial test, achieving credential issuance<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">FIDO Authenticate Conference<o:p></o:p></p>
<p class="MsoNormal"> Gail reported on sessions we'll be having at FIDO Authenticate in Seattle<o:p></o:p></p>
<p class="MsoNormal"> We will have an overview of the OIDF strategy<o:p></o:p></p>
<p class="MsoNormal"> We will have a deep dive on FAPI<o:p></o:p></p>
<p class="MsoNormal"> There will be a 3.5 hour session on OpenID topics<o:p></o:p></p>
<p class="MsoNormal"> Including OpenID4VP, GAIN, whitepapers, messages for government officials<o:p></o:p></p>
<p class="MsoNormal"> Heather Flanagan will present on the privacy whitepaper<o:p></o:p></p>
<p class="MsoNormal"> They will be open to OpenID Foundation members for free<o:p></o:p></p>
<p class="MsoNormal"> There will be a November 14th OpenID Workshop the day before IIW starts<o:p></o:p></p>
<p class="MsoNormal"> Mike asked if we've made plans for Kim Cameron award recipients at Authenticate<o:p></o:p></p>
<p class="MsoNormal"> Don Thibeau has the action item for that<o:p></o:p></p>
<p class="MsoNormal"> This will be the free zoom link for the OIDF plenary sessions 9-1230pm Pacific Time on Wednesday Oct 19th<o:p></o:p></p>
<p class="MsoNormal"> This will also be sent in OIDF Twitter and Blog post. Here is the Zoom link for the OIDF sessions at the FIDO Plenary:<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://zoom.us/j/93339382688?pwd=bVQ5a1N0bjh6eU5XZ25TWjhkdXptZz09">
https://zoom.us/j/93339382688?pwd=bVQ5a1N0bjh6eU5XZ25TWjhkdXptZz09</a><o:p></o:p></p>
<p class="MsoNormal"> For FIDO Authenticate there is a 20% discount for OIDF members<o:p></o:p></p>
<p class="MsoNormal"> You can this code to sign up on the FIDO Authenticate website: 20OIDF22<o:p></o:p></p>
<p class="MsoNormal"> OIDF talk at Authenticate will be Tuesday afternoon<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">IIW and OpenID Workshop<o:p></o:p></p>
<p class="MsoNormal"> Gail updated us about IIW and the OpenID Workshop prior<o:p></o:p></p>
<p class="MsoNormal"> OIDF Members can also get a 20% Discount on attending IIW, and the places are selling out fast so don't delay.<o:p></o:p></p>
<p class="MsoNormal"> In spring they did sell out.<o:p></o:p></p>
<p class="MsoNormal"> Also, here’s a 20% discount code you can share with your members if they’d like to attend:<o:p></o:p></p>
<p class="MsoNormal"> <a href="http://www.eventbrite.com/e/368643531727/?discount=OIDF_XXXV_20">
www.eventbrite.com/e/368643531727/?discount=OIDF_XXXV_20</a><o:p></o:p></p>
<p class="MsoNormal"> OIDF workshop is targeted to be the day before on 11/14 but we are still waiting to confirm the location, potential at Visa office<o:p></o:p></p>
<p class="MsoNormal"> If that does not work, we may co-locate with IIW (at their invitation)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Jobs for the Future (JFF)<o:p></o:p></p>
<p class="MsoNormal"> David Chadwick reports that JFF will be holding an OpenID4VC plugfest next week<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://idp.research.identiproof.io">
https://idp.research.identiproof.io</a><o:p></o:p></p>
<p class="MsoNormal"> Full descriptions of all resources are here <a href="https://ngiatlantic.info">
https://ngiatlantic.info</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">JSON Web Proofs (JWP) Virtual Interim BoF<o:p></o:p></p>
<p class="MsoNormal"> It will be Wednesday, October 2022-10-12 from 13:00 to 15:00 America/New_York (17:00 to 19:00 UTC)<o:p></o:p></p>
<p class="MsoNormal"> Join at <a href="https://meetings.conf.meetecho.com/interim/?short=cd2380f0-b32b-4c48-b6af-9c882205217d">
https://meetings.conf.meetecho.com/interim/?short=cd2380f0-b32b-4c48-b6af-9c882205217d</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Pull Requests<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/pull-requests/">
https://bitbucket.org/openid/connect/pull-requests/</a><o:p></o:p></p>
<p class="MsoNormal"> PR #265: static configuration data in openid4vp and siopv2 (Issue #1539)<o:p></o:p></p>
<p class="MsoNormal"> Kristina revised the PR in response to comments by David Chadwick<o:p></o:p></p>
<p class="MsoNormal"> David Chadwick discussed the use of the profile as defaults<o:p></o:p></p>
<p class="MsoNormal"> Mike Jones said that this is above the bar to merge<o:p></o:p></p>
<p class="MsoNormal"> David Chadwick is happy with the wording now<o:p></o:p></p>
<p class="MsoNormal"> He asked if we want to move the text out of the Implementation Considerations section<o:p></o:p></p>
<p class="MsoNormal"> We decided to leave it where it is<o:p></o:p></p>
<p class="MsoNormal"> Kristina will merge it after the call<o:p></o:p></p>
<p class="MsoNormal"> PR #310: Clean up of SIOPv2<o:p></o:p></p>
<p class="MsoNormal"> Kristina wrote a PR with editorial cleanups of the SIOPv2 specification<o:p></o:p></p>
<p class="MsoNormal"> Reviews are requested<o:p></o:p></p>
<p class="MsoNormal"> PR #240: Add "type" to OP Metadata (Issues #1566, #1592, #1628)<o:p></o:p></p>
<p class="MsoNormal"> Kristina, Tobias, and a few others will have a call specific to this PR in the coming week and will report back<o:p></o:p></p>
<p class="MsoNormal"> Kenichi plans to review the PR<o:p></o:p></p>
<p class="MsoNormal"> Kenichi's concern about "doctype" is that doctype element is used to ENCAPSULATE mdoc components,<o:p></o:p></p>
<p class="MsoNormal"> say "issuer signed item" and "device signed item"<o:p></o:p></p>
<p class="MsoNormal"> However it does not seem to have such structure<o:p></o:p></p>
<p class="MsoNormal"> David Chadwick remarked that the claims are in the local namespace of the credential type<o:p></o:p></p>
<p class="MsoNormal"> PR #255: Determining if one party may be able to trust a second party.<o:p></o:p></p>
<p class="MsoNormal"> Kristina asked if there's been progress on this PR<o:p></o:p></p>
<p class="MsoNormal"> David said that we would only be including an URI for the trust method - not standardizing anything beyond that<o:p></o:p></p>
<p class="MsoNormal"> He said that he's aware of four trust methods already in use<o:p></o:p></p>
<p class="MsoNormal"> EduGain, TRAIN, OpenID Federation, yes.com<o:p></o:p></p>
<p class="MsoNormal"> How they work is up to each scheme to define how they work<o:p></o:p></p>
<p class="MsoNormal"> PR #299: <o:p></o:p></p>
<p class="MsoNormal"> George said that error codes can be meaningful to two parties: developers and the code itself<o:p></o:p></p>
<p class="MsoNormal"> The error_code is intended for information actionable by the code<o:p></o:p></p>
<p class="MsoNormal"> The error_description is intended for developers<o:p></o:p></p>
<p class="MsoNormal"> He said that we need to be careful not to leak useful information to attackers<o:p></o:p></p>
<p class="MsoNormal"> Mike said that George has it exactly right<o:p></o:p></p>
<p class="MsoNormal"> David Chadwick has the information he needs to be able to update the PR<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Issues<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open">
https://bitbucket.org/openid/connect/issues?status=new&status=open</a><o:p></o:p></p>
<p class="MsoNormal"> #1632: Issuer metadata clarification needed<o:p></o:p></p>
<p class="MsoNormal"> There's a question about whether resource server metadata should be separate from authorization server metadata<o:p></o:p></p>
<p class="MsoNormal"> Mike said that there's not a standard for RS metadata<o:p></o:p></p>
<p class="MsoNormal"> He wrote an individual draft that wasn't adopted by the working group<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://datatracker.ietf.org/doc/html/draft-jones-oauth-resource-metadata">
https://datatracker.ietf.org/doc/html/draft-jones-oauth-resource-metadata</a><o:p></o:p></p>
<p class="MsoNormal"> Kristina said that some have asked to not use .well-known for site administration issues<o:p></o:p></p>
<p class="MsoNormal"> George said that redirections for .well-known URLs are allowed, such as from aol.com/.well-known/openid-configuration to another URL<o:p></o:p></p>
<p class="MsoNormal"> George advocated for using .well-known<o:p></o:p></p>
<p class="MsoNormal"> Mike agreed<o:p></o:p></p>
<p class="MsoNormal"> Mike said we can resurrect the OAuth resource server metadata work if we choose<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next Call<o:p></o:p></p>
<p class="MsoNormal"> The next call will be Monday, October 3, 2022 at 4pm Pacific Time<o:p></o:p></p>
</div>
</body>
</html>