
<div dir="ltr"><br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><b>Mins Open ID AB/Connect 2024-02-26 3pm PT</b></p>


<p class="MsoNormal" style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><b>Attendees:</b></p>


<p class="MsoNormal" style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><b>Nat Sakimura</b></p>


<p class="MsoNormal" style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><b>Tom Jones</b></p>


<p class="MsoNormal" style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><b>George Fletcher</b></p>


<p class="MsoNormal" style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><b>Aaron Parecki </b></p>


<p class="MsoNormal" style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><b>Michael Jones</b></p>


<p class="MsoNormal" style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><b>Brian Campbell</b></p>


<p class="MsoNormal" style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><b>DWaite </b></p>


<p class="MsoNormal" style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><span class="gmail-il"><b><span style="font-size:10.5pt;line-height:107%;font-family:Arial,sans-serif;color:rgb(51,51,51);background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">Dima</span></b></span><strong><span style="font-size:10.5pt;line-height:107%;font-family:Arial,sans-serif;color:rgb(51,51,51);background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"> Postnikov</span></strong></p>


<p class="MsoNormal" style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><b>Andrii Deinega</b></p>


<p class="MsoNormal" style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><b>Bjorn Hjelm</b></p>


<p class="MsoNormal" style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><b> </b></p>


<p class="MsoNormal" style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><b>External Orgs:</b></p>


<p class="MsoNormal" style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><b> </b></p>


<p class="MsoNormal" style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Short chat on the need for some means

for a verifier (or any initiator) to create a connection to an appropriate app on

the device. Needed, but not clear where it belongs. Originated in DCP. Tom to

create issue & send draft to George</p>


<p class="MsoNormal" style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"> </p>


<p class="MsoNormal" style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">OpenID Workshop before IIW <a href="https://openid.net/registration-oidf-workshop-monday-april-15-2024/" style="color:rgb(5,99,193)">https://openid.net/registration-oidf-workshop-monday-april-15-2024/</a></p>


<p class="MsoNormal" style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"> </p>


<p class="MsoNormal" style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">OpenID DCP will have an event on

Friday after IIW, probably at Google. Look for announcements.</p>


<p class="MsoNormal" style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"> </p>


<p class="MsoNormal" style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">OAuth Security Workshop

registration is open at <a href="https://oauth.secworkshop.events/osw2024Call">https://oauth.secworkshop.events/osw2024Call</a> for

speakers is open from now until March 4, 2024</p>


<p class="MsoNormal" style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"> </p>


<p class="MsoNormal" style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">W3C Privacy – Mozilla has a

specific module to use session storage. Google has a similar proposal in <a href="http://blink.dev">blink.dev</a>

to allow files to be accessed cross origin in WICG – addressing use of stolen

creds to access and use existing table of tokens.  The obvious solution seems to be to bind the

token to the device. FAPI has one solution to this. <a href="https://sec.okta.com/harfiles">https://sec.okta.com/harfiles</a>

= breach - after stealing one token able to access other tokens – need device

bound cookies (or whatever data structure might be used in future.)</p>


<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"> </p>


<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">W3C FedCM looking at universal naming See Vladimir Dzhuvinov

paper OpenID Federation policies for Pairwise Pseudonymous Identifiers (PPID) <a href="https://connect2id.com/blog/openid-federation-ppid-policy">https://connect2id.com/blog/openid-federation-ppid-policy</a></p>


<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"> from  <a href="https://www.linkedin.com/posts/vladimirdzhuvinov_openid-federation-policies-for-pairwise-pseudonymous-activity-7167841011216453632-6tpD?utm_source=share&utm_medium=member_desktop" style="color:rgb(5,99,193)">https://www.linkedin.com/posts/vladimirdzhuvinov_openid-federation-policies-for-pairwise-pseudonymous-activity-7167841011216453632-6tpD?utm_source=share&utm_medium=member_desktop</a>

This is a generalization of what federation already allows.</p>


<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">IETF 119 <a href="https://www.ietf.org/how/meetings/119/">https://www.ietf.org/how/meetings/119/</a></p>


<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><b>Issues and PRs:</b></p>


<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">PR 702 <a href="https://bitbucket.org/openid/connect/pull-requests/702">https://bitbucket.org/openid/connect/pull-requests/702</a>

addresses issue 2101 <a href="https://bitbucket.org/openid/connect/issues/2101/native-app-sso-no-prescriptive-restriction" style="color:rgb(5,99,193)">https://bitbucket.org/openid/connect/issues/2101/native-app-sso-no-prescriptive-restriction</a></p>


<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"> <span style="font-size:11pt">2115 – supporting POST at authN end point – it was agreed by

all to recommend that conformance test look for support of POST, but only issue

a warning if it is not supported by the end point – Tom addressed issue at FHIR

by noting that: “the point has been made elsewhere that the common

Authorization Code Flow implementations will not have an issue. If the

Authorization server handles the authz grant, the token issuance and the user

resource all from the same origin as they all need to share data.  However, it is not required in the spec that

these endpoints are all in the same origin, as that was not an issue when the

spec was written.  If they all share a

common origin, there should be no problem.”</span></p>


<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">2117 There are cases when one may want to do the discovery

for Entities other than Leaf Entities. Mike changed status to open Tom noted

that these were only significant on a transaction basis. Any node could

generate a chain from the root to it. IE the concept of leaf was in the eyes of

the requester.</p>


<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><a href="https://bitbucket.org/openid/connect/issues/2118/federation-introduce-sector_identifier-to">https://bitbucket.org/openid/connect/issues/2118/federation-introduce-sector_identifier-to</a>

by Axel Nennker was resolved as written. Do we want to open it elsewhere? </p>


<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">2120  Mike to generate

language about one subordinate versus entire tree of all subordinates</p>


<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">2119 Fix metadata policy example in figure 17 – take stuff

out of examples assigned to Giuseppe De Marco – Nat opened issue assigned to

mike</p>


<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Ran out of time before all issues were addressed.</p>


<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Notes by Tom Jones</p>


<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><b> </b></p></div></div></div></div>