<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Spec Call Notes 27-Nov-23<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Victor Lu<o:p></o:p></p>
<p class="MsoNormal">Dima Postnikov<o:p></o:p></p>
<p class="MsoNormal">Tom Jones<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">DCP Pacific-friendly call time<o:p></o:p></p>
<p class="MsoNormal"> There have been requests to institute a Pacific-friendly DCP call<o:p></o:p></p>
<p class="MsoNormal"> As data points<o:p></o:p></p>
<p class="MsoNormal"> This call is at 4pm Pacific Time<o:p></o:p></p>
<p class="MsoNormal"> For Dima in Eastern Australia, this call is 10am. He could make 8am or 9am his time as well.<o:p></o:p></p>
<p class="MsoNormal"> For New Zealand, this call is at noon<o:p></o:p></p>
<p class="MsoNormal"> For Japan, this call is at 8am<o:p></o:p></p>
<p class="MsoNormal"> Look for a Doodle poll<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Dima led a discussion on allowed claims and Client Registration<o:p></o:p></p>
<p class="MsoNormal"> He'd spoken with Nat and Mark Haine about it<o:p></o:p></p>
<p class="MsoNormal"> ConnectID runs an ecosystem where a central authority accredits RPs<o:p></o:p></p>
<p class="MsoNormal"> Including what claims they're eligible to receive<o:p></o:p></p>
<p class="MsoNormal"> They're using a software_statement at client registration time<o:p></o:p></p>
<p class="MsoNormal"> What to do if an RP requests a claim that it's not eligible for?<o:p></o:p></p>
<p class="MsoNormal"> It's not an error to not receive a requested claim<o:p></o:p></p>
<p class="MsoNormal"> Not having consent to release a claim is another reason to not return a claim<o:p></o:p></p>
<p class="MsoNormal"> There's also unmet_authentication_requirements<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://openid.net/specs/openid-connect-unmet-authentication-requirements-1_0.html">
https://openid.net/specs/openid-connect-unmet-authentication-requirements-1_0.html</a><o:p></o:p></p>
<p class="MsoNormal"> RFC 6749 talks about being able to ignore scopes<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://www.rfc-editor.org/rfc/rfc6749.html#section-3.3">
https://www.rfc-editor.org/rfc/rfc6749.html#section-3.3</a><o:p></o:p></p>
<p class="MsoNormal"> And it defines invalid_scope<o:p></o:p></p>
<p class="MsoNormal"> The requested scope is invalid, unknown, or malformed.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Pull Requests<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/pull-requests/">
https://bitbucket.org/openid/connect/pull-requests/</a><o:p></o:p></p>
<p class="MsoNormal"> PR #667: fix: [Federation] Subordinate Entity definition<o:p></o:p></p>
<p class="MsoNormal"> Merged<o:p></o:p></p>
<p class="MsoNormal"> PR #672: [Federation] Tighten Client Registration section<o:p></o:p></p>
<p class="MsoNormal"> Merged<o:p></o:p></p>
<p class="MsoNormal"> PR #673: [Federation] Tightened appendix examples<o:p></o:p></p>
<p class="MsoNormal"> To be merged after resolving merge conflicts<o:p></o:p></p>
<p class="MsoNormal"> PR #674: [Federation] security consideration - rewording and static trust chain<o:p></o:p></p>
<p class="MsoNormal"> How can we prevent resource consumption attacks?<o:p></o:p></p>
<p class="MsoNormal"> More reviews requested<o:p></o:p></p>
<p class="MsoNormal"> Tom said that these are a form of denial of service attacks<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Issues<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open&status=submitted&is_spam=!spam">
https://bitbucket.org/openid/connect/issues?status=new&status=open&status=submitted&is_spam=!spam</a><o:p></o:p></p>
<p class="MsoNormal"> #2088: [Federation] tls_client_auth as a request authentication method<o:p></o:p></p>
<p class="MsoNormal"> Discussions on use of the Subject Alternative Name<o:p></o:p></p>
<p class="MsoNormal"> Tom said that some of this information isn't even surfaced to the application<o:p></o:p></p>
<p class="MsoNormal"> Mike wondered how these decisions relate to those made in
<a href="https://www.rfc-editor.org/rfc/rfc8705.html">https://www.rfc-editor.org/rfc/rfc8705.html</a><o:p></o:p></p>
<p class="MsoNormal"> OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens<o:p></o:p></p>
<p class="MsoNormal"> It would be good to have John Bradley look at this<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next Call<o:p></o:p></p>
<p class="MsoNormal"> The next call is scheduled for Thursday, November 30, 2024 at 7am Pacific Time<o:p></o:p></p>
<p class="MsoNormal"> However this conflicts with the IESG telechat, so Mike will likely not be able to attend<o:p></o:p></p>
</div>
</body>
</html>