<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
.MsoPapDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">SIOP Special Topic Call Notes 2-Feb-23<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Judith Kahrer<o:p></o:p></p>
<p class="MsoNormal">Brian Campbell<o:p></o:p></p>
<p class="MsoNormal">Oliver Terbu<o:p></o:p></p>
<p class="MsoNormal">Pieter Kasselman<o:p></o:p></p>
<p class="MsoNormal">Kristina Yasuda<o:p></o:p></p>
<p class="MsoNormal">Bjorn Hjelm<o:p></o:p></p>
<p class="MsoNormal">Dmitri Zagidulin<o:p></o:p></p>
<p class="MsoNormal">David Waite<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Judith Kahrer from Curity introduced herself<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Pull Requests<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/pull-requests/">
https://bitbucket.org/openid/connect/pull-requests/</a><o:p></o:p></p>
<p class="MsoNormal"> We merged a number of PRs during the week, including PR #419<o:p></o:p></p>
<p class="MsoNormal"> PR #432 should be good to go - reviews solicited<o:p></o:p></p>
<p class="MsoNormal"> PR #433 and #434<o:p></o:p></p>
<p class="MsoNormal"> Describes use of cross-device flow on same device<o:p></o:p></p>
<p class="MsoNormal"> PR #425: add terminology source and delete base64url encoding definition (Issue #1789)<o:p></o:p></p>
<p class="MsoNormal"> Kristina proposes to merge this after the call<o:p></o:p></p>
<p class="MsoNormal"> PR #427: OID4VP: client id format<o:p></o:p></p>
<p class="MsoNormal"> Kristina explained the intent of this PR<o:p></o:p></p>
<p class="MsoNormal"> Brian pointed out that the X.509 mechanism wasn't previously there<o:p></o:p></p>
<p class="MsoNormal"> We will separate this out<o:p></o:p></p>
<p class="MsoNormal"> Issue #1798 is part of the discussion: OID4VPs - need to specify the trust model<o:p></o:p></p>
<p class="MsoNormal"> Signing requests in multiple ways would be problematic<o:p></o:p></p>
<p class="MsoNormal"> ISO is interested in doing a pre-negotiation step before authorization<o:p></o:p></p>
<p class="MsoNormal"> Mike asked why the additional parameter is necessary when we haven't needed it so far<o:p></o:p></p>
<p class="MsoNormal"> The OP has been able to look at the Client ID syntax and determine what it is<o:p></o:p></p>
<p class="MsoNormal"> Either it's pre-registered, or it's a Redirect URI or it's an Entity Statement URL<o:p></o:p></p>
<p class="MsoNormal"> ISO mdocs want to use X.509 certs<o:p></o:p></p>
<p class="MsoNormal"> We need to define what the Client ID is in that case<o:p></o:p></p>
<p class="MsoNormal"> DW asked whether the different Client ID schemes can be differentiated via their URIs<o:p></o:p></p>
<p class="MsoNormal"> He is concerned about attacks<o:p></o:p></p>
<p class="MsoNormal"> He is worried about client impersonation attacks<o:p></o:p></p>
<p class="MsoNormal"> Kristina said that, for instance, in OpenID Federation, one would have to control the domain name of the .well-known to accomplish anything<o:p></o:p></p>
<p class="MsoNormal"> Kristina said that having one mechanism per scheme may be impractical<o:p></o:p></p>
<p class="MsoNormal"> DW said that having a Client Format makes the format part of the identity of the entity<o:p></o:p></p>
<p class="MsoNormal"> Mike asserted that the existing formats can be distinguished without the format parameter<o:p></o:p></p>
<p class="MsoNormal"> He said that we shouldn’t add it until it's clear that we need it<o:p></o:p></p>
<p class="MsoNormal"> Kristina said that X.509 distinguished names might be indistinguishable from domain names<o:p></o:p></p>
<p class="MsoNormal"> Brian said that additional mechanisms that are not well thought out were added to the PR<o:p></o:p></p>
<p class="MsoNormal"> These areas could be problematic<o:p></o:p></p>
<p class="MsoNormal"> Mike agreed that we shouldn't add X.509 and other mechanisms that aren't well-defined at first<o:p></o:p></p>
<p class="MsoNormal"> Brian has concerns with the way that we're adding in dynamic client registration<o:p></o:p></p>
<p class="MsoNormal"> It's a mess and problematic<o:p></o:p></p>
<p class="MsoNormal"> He said that the idea of trying to make it explicit seems helpful<o:p></o:p></p>
<p class="MsoNormal"> Mike agreed to add an issue comment with his views<o:p></o:p></p>
<p class="MsoNormal"> Brian doesn't think that DIDs should be a Client ID format<o:p></o:p></p>
<p class="MsoNormal"> Kristina asked Brian to file PR comments<o:p></o:p></p>
<p class="MsoNormal"> Kristina said that the editors have been incorporating feedback on the PR<o:p></o:p></p>
<p class="MsoNormal"> We're trying to minimize breaking changes after the second Implementer's Draft<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Issues<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open&component=SIOP&component=Verifiable%20Presentation&component=Credential%20Issuance">
https://bitbucket.org/openid/connect/issues?status=new&status=open&component=SIOP&component=Verifiable%20Presentation&component=Credential%20Issuance</a><o:p></o:p></p>
<p class="MsoNormal"> #1807: Signed Requests and Replay Prevention<o:p></o:p></p>
<p class="MsoNormal"> Mike doesn't understand why making a second request with the same parameters as the first constitutes an attack<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next Call<o:p></o:p></p>
<p class="MsoNormal"> The next call will be Monday at 3pm Pacific Time<o:p></o:p></p>
</div>
</body>
</html>