<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">SIOP Special Topic Call Notes 3-Nov-22<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Daniel McGrogan (Workday)<o:p></o:p></p>
<p class="MsoNormal">Daniel Godbout (Microsoft)<o:p></o:p></p>
<p class="MsoNormal">George Fletcher<o:p></o:p></p>
<p class="MsoNormal">Joseph Heenan<o:p></o:p></p>
<p class="MsoNormal">Daniel Fett<o:p></o:p></p>
<p class="MsoNormal">David Chadwick<o:p></o:p></p>
<p class="MsoNormal">Kristina Yasuda<o:p></o:p></p>
<p class="MsoNormal">Brian Campbell<o:p></o:p></p>
<p class="MsoNormal">Petteri Stenius<o:p></o:p></p>
<p class="MsoNormal">Oliver Terbu<o:p></o:p></p>
<p class="MsoNormal">Jeremie Miller<o:p></o:p></p>
<p class="MsoNormal">Gail Hodges<o:p></o:p></p>
<p class="MsoNormal">Torsten Lodderstedt<o:p></o:p></p>
<p class="MsoNormal">David Waite (DW)<o:p></o:p></p>
<p class="MsoNormal">Bjorn Hjelm<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Issues<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open">
https://bitbucket.org/openid/connect/issues?status=new&status=open</a><o:p></o:p></p>
<p class="MsoNormal"> #1632: Should RS have a separate metadata file from the AS?<o:p></o:p></p>
<p class="MsoNormal"> It was noted that people may not be on the same page about the requirements<o:p></o:p></p>
<p class="MsoNormal"> Torsten asked what to append to the issuer URL<o:p></o:p></p>
<p class="MsoNormal"> .well-known/openid-configuration may not be applicable<o:p></o:p></p>
<p class="MsoNormal"> .well-known/openid-credential-issuer is the latest proposal<o:p></o:p></p>
<p class="MsoNormal"> Joseph suggested using .well-known/oauth-server-metadata<o:p></o:p></p>
<p class="MsoNormal"> Daniel Godbout asked about when the issuer is a DID<o:p></o:p></p>
<p class="MsoNormal"> There's a separate issue for that: #1709<o:p></o:p></p>
<p class="MsoNormal"> Mike spoke in favor of .well-known/openid-credential-issuer<o:p></o:p></p>
<p class="MsoNormal"> The metadata parameters are listed in
<a href="https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-09.html#name-server-metadata">
https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-09.html#name-server-metadata</a><o:p></o:p></p>
<p class="MsoNormal"> Torsten said that the RFC 8414 parameters are also already there<o:p></o:p></p>
<p class="MsoNormal"> Daniel McGrogan said that he thinks the resource metadata should be distinct from the authorization server metadata<o:p></o:p></p>
<p class="MsoNormal"> DW said that most of the registered metadata values are about extending authorization server functionality<o:p></o:p></p>
<p class="MsoNormal"> Generally, APIs defined by ASs are not described in the ASs' metadata<o:p></o:p></p>
<p class="MsoNormal"> But the UserInfo Endpoint API is listed there<o:p></o:p></p>
<p class="MsoNormal"> Torsten said that it's interesting that the UserInfo Endpoint is in the AS's metadata<o:p></o:p></p>
<p class="MsoNormal"> He finds it to be a practical, convenient decision<o:p></o:p></p>
<p class="MsoNormal"> Torsten wonders about the complexity of splitting the AS and resource metadata into different locations<o:p></o:p></p>
<p class="MsoNormal"> He thinks that the current solution is already sufficient<o:p></o:p></p>
<p class="MsoNormal"> George supported separating the endpoints<o:p></o:p></p>
<p class="MsoNormal"> Joseph said that since it's resource server metadata, you'd discover it from the resource path - not the AS path<o:p></o:p></p>
<p class="MsoNormal"> Torsten said that whatever it is, it's where you get the information needed to start the flow<o:p></o:p></p>
<p class="MsoNormal"> Kristina said that if we're discovering OAuth AS metadata, then the OAuth path makes sense<o:p></o:p></p>
<p class="MsoNormal"> Torsten said that we want to discover the credential issuer<o:p></o:p></p>
<p class="MsoNormal"> Kristina suggested having a small group to discuss the issue, as was done for the metadata issue<o:p></o:p></p>
<p class="MsoNormal"> People were fine with that<o:p></o:p></p>
<p class="MsoNormal"> Brian asked to be part of the small group<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">OpenID Workshop<o:p></o:p></p>
<p class="MsoNormal"> The OpenID Workshop will be Monday, November 14th - the day before IIW, 12:30-4pm at Visa<o:p></o:p></p>
<p class="MsoNormal"> See registration information at <a href="https://openid.net/2022/10/24/workshop-at-visa-monday-november-14-2022/">
https://openid.net/2022/10/24/workshop-at-visa-monday-november-14-2022/</a><o:p></o:p></p>
<p class="MsoNormal"> Register by Wednesday, November 9th<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Limited Government Participation<o:p></o:p></p>
<p class="MsoNormal"> Gail reported that there is limited government representation amongst the 18013-7/23220-4 participants<o:p></o:p></p>
<p class="MsoNormal"> There's no guarantee that ISO will include the OpenID4VC specs<o:p></o:p></p>
<p class="MsoNormal"> There's an interop including them on December 4-5 in Brisbane<o:p></o:p></p>
<p class="MsoNormal"> Gail asked people who have government identity contacts for forward them to her to perhaps get statements from them in advance of the interop<o:p></o:p></p>
<p class="MsoNormal"> Contact her at <a href="mailto:gail.hodges@oidf.org">
gail.hodges@oidf.org</a><o:p></o:p></p>
<p class="MsoNormal"> Kristina remarked that it's not yet determined what credential formats will be used in what contexts<o:p></o:p></p>
<p class="MsoNormal"> The OpenID4VC specs are one of the few paths that enable credential format agility<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Security Review<o:p></o:p></p>
<p class="MsoNormal"> Daniel Fett reported on a security review of the issuance specification<o:p></o:p></p>
<p class="MsoNormal"> There were no issues that he found<o:p></o:p></p>
<p class="MsoNormal"> He may file a PR with some suggestions<o:p></o:p></p>
<p class="MsoNormal"> He will also review the presentation spec<o:p></o:p></p>
<p class="MsoNormal"> Daniel McGrogan asked if the review is published<o:p></o:p></p>
<p class="MsoNormal"> Torsten said that the recommendation is to always use the server-provided nonce<o:p></o:p></p>
<p class="MsoNormal"> Torsten volunteered to file a PR clarifying this<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Pull Requests<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/pull-requests/">
https://bitbucket.org/openid/connect/pull-requests/</a><o:p></o:p></p>
<p class="MsoNormal"> PR #327: clarified the definition of response mode post - Issue #1626<o:p></o:p></p>
<p class="MsoNormal"> We have approvals from Mike and Joseph people<o:p></o:p></p>
<p class="MsoNormal"> We're asking for Brian and/or George to also review<o:p></o:p></p>
<p class="MsoNormal"> PR #345: Update Introduction and Overview of OpenID4VP specification to better explain the new model<o:p></o:p></p>
<p class="MsoNormal"> Mostly editorial<o:p></o:p></p>
<p class="MsoNormal"> PR #351: relaxed client id requirements for pre-authz code grant type<o:p></o:p></p>
<p class="MsoNormal"> Additional reviews requested<o:p></o:p></p>
<p class="MsoNormal"> We would like to merge these three PRs in the next week<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next Call<o:p></o:p></p>
<p class="MsoNormal"> We may cancel the next SIOP call due to a conflict with the OAuth WG meeting at IETF in London<o:p></o:p></p>
</div>
</body>
</html>