<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi Mike</p>
<p>minor corrections to the minutes. <br>
</p>
<p>1. The demo for kicking off wallets for credential issuing is at
<a href="https://idp.research.identiproof.io"
class="moz-txt-link-freetext">
https://idp.research.identiproof.io</a> as reported in the
minutes. But wallets also need the username: user and password:
password in order to login to see the credential they can be
issued with.<br>
</p>
<p>2. Next week is not the JFF Plugfest event. This is scheduled for
14 November. Next week is the kickoff meeting that we are
arranging with participants who want to use the OIDC4VCI protocol
for the JFF Plugfest.</p>
<p>Kind regards</p>
<p>David<br>
</p>
<div class="moz-cite-prefix">On 29/09/2022 18:47, Mike Jones via
Openid-specs-ab wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CO1PR00MB130877052D85B89E6C00AB32F5579@CO1PR00MB1308.namprd00.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">SIOP Special Topic Call Notes 29-Sep-22<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Petteri Stenius<o:p></o:p></p>
<p class="MsoNormal">David Chadwick<o:p></o:p></p>
<p class="MsoNormal">Kristina Yasuda<o:p></o:p></p>
<p class="MsoNormal">Brian Campbell<o:p></o:p></p>
<p class="MsoNormal">Kenichi Nakamura<o:p></o:p></p>
<p class="MsoNormal">Gail Hodges<o:p></o:p></p>
<p class="MsoNormal">George Fletcher<o:p></o:p></p>
<p class="MsoNormal">David Waite (DW)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Joseph Heenan<o:p></o:p></p>
<p class="MsoNormal">Torsten Lodderstedt<o:p></o:p></p>
<p class="MsoNormal">Bjorn Hjelm<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Planning for Implementer's Drafts<o:p></o:p></p>
<p class="MsoNormal"> Kristina reviewed our plans
to move to new Implementer's Drafts<o:p></o:p></p>
<p class="MsoNormal"> For SIOPv2 and OpenID4VP
there aren't big issues to be resolved before the next
Implementer's Drafts<o:p></o:p></p>
<p class="MsoNormal"> Editorial
cleanups, etc. are planned<o:p></o:p></p>
<p class="MsoNormal"> For OpenID4VCI, there's
increasing interest in the work by others<o:p></o:p></p>
<p class="MsoNormal"> For instance, by
DIF<o:p></o:p></p>
<p class="MsoNormal"> We want an
Implementer's Draft to signify stability and convey IPR
protection<o:p></o:p></p>
<p class="MsoNormal"> Three big issues
to resolve before going to Implementer's Draft:<o:p></o:p></p>
<p class="MsoNormal">
Structure of issuer's metadata: PR #240<o:p></o:p></p>
<p class="MsoNormal">
Separating the resource server metadata file (or not) -
multiple issues<o:p></o:p></p>
<p class="MsoNormal">
Multiple issuance endpoint<o:p></o:p></p>
<p class="MsoNormal"> Also "cnonce",
attestations, etc., which we may park until we get feedback
from implementers<o:p></o:p></p>
<p class="MsoNormal"> David said that there's still
no way for a wallet to indicate exactly what it wants<o:p></o:p></p>
<p class="MsoNormal"> For instance,
only one of multiple degrees from a university<o:p></o:p></p>
<p class="MsoNormal"> Kristina said
that these are related to the multiple issuance endpoint and
metadata<o:p></o:p></p>
<p class="MsoNormal">
It's up to the issuer to decide what's mandatory and optional
- not the wallet<o:p></o:p></p>
<p class="MsoNormal"> Gail reported that the
California DMV is planning to use all three specifications<o:p></o:p></p>
<p class="MsoNormal"> They are moving
very quickly<o:p></o:p></p>
<p class="MsoNormal"> Kristina asked David Chadwick
to circulate a demo to the working group that he's been
showing<o:p></o:p></p>
<p class="MsoNormal"> David C. reported that Joseph
Heenan has done an initial test, achieving credential issuance<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">FIDO Authenticate Conference<o:p></o:p></p>
<p class="MsoNormal"> Gail reported on sessions
we'll be having at FIDO Authenticate in Seattle<o:p></o:p></p>
<p class="MsoNormal"> We will have an overview of
the OIDF strategy<o:p></o:p></p>
<p class="MsoNormal"> We will have a deep dive on
FAPI<o:p></o:p></p>
<p class="MsoNormal"> There will be a 3.5 hour
session on OpenID topics<o:p></o:p></p>
<p class="MsoNormal"> Including
OpenID4VP, GAIN, whitepapers, messages for government
officials<o:p></o:p></p>
<p class="MsoNormal"> Heather Flanagan
will present on the privacy whitepaper<o:p></o:p></p>
<p class="MsoNormal"> They will be open to OpenID
Foundation members for free<o:p></o:p></p>
<p class="MsoNormal"> There will be a November 14th
OpenID Workshop the day before IIW starts<o:p></o:p></p>
<p class="MsoNormal"> Mike asked if we've made
plans for Kim Cameron award recipients at Authenticate<o:p></o:p></p>
<p class="MsoNormal"> Don Thibeau has
the action item for that<o:p></o:p></p>
<p class="MsoNormal"> This will be the free zoom
link for the OIDF plenary sessions 9-1230pm Pacific Time on
Wednesday Oct 19th<o:p></o:p></p>
<p class="MsoNormal"> This will also
be sent in OIDF Twitter and Blog post. Here is the Zoom link
for the OIDF sessions at the FIDO Plenary:<o:p></o:p></p>
<p class="MsoNormal"> <a
href="https://zoom.us/j/93339382688?pwd=bVQ5a1N0bjh6eU5XZ25TWjhkdXptZz09"
moz-do-not-send="true" class="moz-txt-link-freetext">
https://zoom.us/j/93339382688?pwd=bVQ5a1N0bjh6eU5XZ25TWjhkdXptZz09</a><o:p></o:p></p>
<p class="MsoNormal"> For FIDO Authenticate there
is a 20% discount for OIDF members<o:p></o:p></p>
<p class="MsoNormal"> You can this
code to sign up on the FIDO Authenticate website: 20OIDF22<o:p></o:p></p>
<p class="MsoNormal"> OIDF talk at Authenticate
will be Tuesday afternoon<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">IIW and OpenID Workshop<o:p></o:p></p>
<p class="MsoNormal"> Gail updated us about IIW and
the OpenID Workshop prior<o:p></o:p></p>
<p class="MsoNormal"> OIDF Members can also get a
20% Discount on attending IIW, and the places are selling out
fast so don't delay.<o:p></o:p></p>
<p class="MsoNormal"> In spring they
did sell out.<o:p></o:p></p>
<p class="MsoNormal"> Also, here’s a 20% discount
code you can share with your members if they’d like to attend:<o:p></o:p></p>
<p class="MsoNormal"> <a
href="http://www.eventbrite.com/e/368643531727/?discount=OIDF_XXXV_20"
moz-do-not-send="true">
www.eventbrite.com/e/368643531727/?discount=OIDF_XXXV_20</a><o:p></o:p></p>
<p class="MsoNormal"> OIDF workshop is targeted to
be the day before on 11/14 but we are still waiting to confirm
the location, potential at Visa office<o:p></o:p></p>
<p class="MsoNormal"> If that does not
work, we may co-locate with IIW (at their invitation)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Jobs for the Future (JFF)<o:p></o:p></p>
<p class="MsoNormal"> David Chadwick reports that
JFF will be holding an OpenID4VC plugfest next week<o:p></o:p></p>
<p class="MsoNormal"> <a
href="https://idp.research.identiproof.io"
moz-do-not-send="true" class="moz-txt-link-freetext">
https://idp.research.identiproof.io</a><o:p></o:p></p>
<p class="MsoNormal"> Full descriptions of all
resources are here <a href="https://ngiatlantic.info"
moz-do-not-send="true" class="moz-txt-link-freetext">
https://ngiatlantic.info</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">JSON Web Proofs (JWP) Virtual Interim BoF<o:p></o:p></p>
<p class="MsoNormal"> It will be Wednesday, October
2022-10-12 from 13:00 to 15:00 America/New_York (17:00 to
19:00 UTC)<o:p></o:p></p>
<p class="MsoNormal"> Join at <a
href="https://meetings.conf.meetecho.com/interim/?short=cd2380f0-b32b-4c48-b6af-9c882205217d"
moz-do-not-send="true" class="moz-txt-link-freetext">
https://meetings.conf.meetecho.com/interim/?short=cd2380f0-b32b-4c48-b6af-9c882205217d</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Pull Requests<o:p></o:p></p>
<p class="MsoNormal"> <a
href="https://bitbucket.org/openid/connect/pull-requests/"
moz-do-not-send="true" class="moz-txt-link-freetext">
https://bitbucket.org/openid/connect/pull-requests/</a><o:p></o:p></p>
<p class="MsoNormal"> PR #265: static configuration
data in openid4vp and siopv2 (Issue #1539)<o:p></o:p></p>
<p class="MsoNormal"> Kristina revised
the PR in response to comments by David Chadwick<o:p></o:p></p>
<p class="MsoNormal"> David Chadwick
discussed the use of the profile as defaults<o:p></o:p></p>
<p class="MsoNormal"> Mike Jones said
that this is above the bar to merge<o:p></o:p></p>
<p class="MsoNormal"> David Chadwick
is happy with the wording now<o:p></o:p></p>
<p class="MsoNormal"> He
asked if we want to move the text out of the Implementation
Considerations section<o:p></o:p></p>
<p class="MsoNormal"> We
decided to leave it where it is<o:p></o:p></p>
<p class="MsoNormal"> Kristina will
merge it after the call<o:p></o:p></p>
<p class="MsoNormal"> PR #310: Clean up of SIOPv2<o:p></o:p></p>
<p class="MsoNormal"> Kristina wrote a
PR with editorial cleanups of the SIOPv2 specification<o:p></o:p></p>
<p class="MsoNormal"> Reviews are
requested<o:p></o:p></p>
<p class="MsoNormal"> PR #240: Add "type" to OP
Metadata (Issues #1566, #1592, #1628)<o:p></o:p></p>
<p class="MsoNormal"> Kristina,
Tobias, and a few others will have a call specific to this PR
in the coming week and will report back<o:p></o:p></p>
<p class="MsoNormal"> Kenichi plans to
review the PR<o:p></o:p></p>
<p class="MsoNormal">
Kenichi's concern about "doctype" is that doctype element is
used to ENCAPSULATE mdoc components,<o:p></o:p></p>
<p class="MsoNormal">
say "issuer signed item" and "device signed item"<o:p></o:p></p>
<p class="MsoNormal">
However it does not seem to have such structure<o:p></o:p></p>
<p class="MsoNormal"> David Chadwick
remarked that the claims are in the local namespace of the
credential type<o:p></o:p></p>
<p class="MsoNormal"> PR #255: Determining if one
party may be able to trust a second party.<o:p></o:p></p>
<p class="MsoNormal"> Kristina asked
if there's been progress on this PR<o:p></o:p></p>
<p class="MsoNormal"> David said that
we would only be including an URI for the trust method - not
standardizing anything beyond that<o:p></o:p></p>
<p class="MsoNormal"> He said that
he's aware of four trust methods already in use<o:p></o:p></p>
<p class="MsoNormal">
EduGain, TRAIN, OpenID Federation, yes.com<o:p></o:p></p>
<p class="MsoNormal">
How they work is up to each scheme to define how they work<o:p></o:p></p>
<p class="MsoNormal"> PR #299: <o:p></o:p></p>
<p class="MsoNormal"> George said that
error codes can be meaningful to two parties: developers and
the code itself<o:p></o:p></p>
<p class="MsoNormal">
The error_code is intended for information actionable by the
code<o:p></o:p></p>
<p class="MsoNormal">
The error_description is intended for developers<o:p></o:p></p>
<p class="MsoNormal"> He
said that we need to be careful not to leak useful information
to attackers<o:p></o:p></p>
<p class="MsoNormal"> Mike said that
George has it exactly right<o:p></o:p></p>
<p class="MsoNormal"> David Chadwick
has the information he needs to be able to update the PR<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Issues<o:p></o:p></p>
<p class="MsoNormal"> <a
href="https://bitbucket.org/openid/connect/issues?status=new&status=open"
moz-do-not-send="true">
https://bitbucket.org/openid/connect/issues?status=new&status=open</a><o:p></o:p></p>
<p class="MsoNormal"> #1632: Issuer metadata
clarification needed<o:p></o:p></p>
<p class="MsoNormal"> There's a
question about whether resource server metadata should be
separate from authorization server metadata<o:p></o:p></p>
<p class="MsoNormal">
Mike said that there's not a standard for RS metadata<o:p></o:p></p>
<p class="MsoNormal"> He
wrote an individual draft that wasn't adopted by the working
group<o:p></o:p></p>
<p class="MsoNormal">
<a
href="https://datatracker.ietf.org/doc/html/draft-jones-oauth-resource-metadata"
moz-do-not-send="true" class="moz-txt-link-freetext">
https://datatracker.ietf.org/doc/html/draft-jones-oauth-resource-metadata</a><o:p></o:p></p>
<p class="MsoNormal"> Kristina said
that some have asked to not use .well-known for site
administration issues<o:p></o:p></p>
<p class="MsoNormal"> George said that
redirections for .well-known URLs are allowed, such as from
aol.com/.well-known/openid-configuration to another URL<o:p></o:p></p>
<p class="MsoNormal"> George advocated
for using .well-known<o:p></o:p></p>
<p class="MsoNormal">
Mike agreed<o:p></o:p></p>
<p class="MsoNormal"> Mike said we can
resurrect the OAuth resource server metadata work if we choose<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next Call<o:p></o:p></p>
<p class="MsoNormal"> The next call will be Monday,
October 3, 2022 at 4pm Pacific Time<o:p></o:p></p>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="https://lists.openid.net/mailman/listinfo/openid-specs-ab">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
</body>
</html>