<div dir="ltr"><h1 id="gmail-markdown-header-openid-foundation-connect-working-group-meeting-notes" style="margin:0px 0px 10px;padding:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-weight:400;font-stretch:normal;line-height:1.25;font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;letter-spacing:-0.01em;color:rgb(23,43,77)"><font size="2">Dear AB/Connect WG: </font></h1><div>Below is the meeting notes from 2025-09-15 Pacific meeting. Wiki version can be found at <a href="https://bitbucket.org/openid/connect/wiki/Connect_Meeting_Notes_2025-09-15_Pacific">https://bitbucket.org/openid/connect/wiki/Connect_Meeting_Notes_2025-09-15_Pacific</a></div><div><br></div><div>Please let me know if something needs to be fixed. </div><h1 id="gmail-markdown-header-openid-foundation-connect-working-group-meeting-notes" style="margin:0px 0px 10px;padding:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-weight:400;font-stretch:normal;font-size:24px;line-height:1.25;font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;letter-spacing:-0.01em;color:rgb(23,43,77)"><br></h1><h1 id="gmail-markdown-header-openid-foundation-connect-working-group-meeting-notes" style="margin:0px 0px 10px;padding:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-weight:400;font-stretch:normal;font-size:24px;line-height:1.25;font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;letter-spacing:-0.01em;color:rgb(23,43,77)">Connect WG Meeting Notes</h1><ul style="margin:12px 0px 0px;padding:0px 0px 0px 40px;color:rgb(23,43,77);font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;font-size:14px"><li style="overflow-wrap: break-word;"><strong>Date:</strong> 2025-09-15</li><li style="margin:0px"><strong>Time:</strong> 22:58-23:28 UTC</li><li style="margin:0px"><strong>Chair:</strong> Nat Sakimura</li></ul><h2 id="gmail-markdown-header-attendees" style="margin:20px 0px 0px;padding:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-weight:400;font-stretch:normal;font-size:20px;line-height:1.5;font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;letter-spacing:-0.008em;color:rgb(23,43,77)">Attendees</h2><ul style="margin:12px 0px 0px;padding:0px 0px 0px 40px;color:rgb(23,43,77);font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;font-size:14px"><li style="overflow-wrap: break-word;">Nat Sakimura (Chair)</li><li style="margin:0px">Andrii Deinega</li><li style="margin:0px">Naveen CM</li><li style="margin:0px">Bjorn Hjelm</li><li style="margin:0px">Michael Fraser</li><li style="margin:0px">Aaron Parecki</li></ul><h2 id="gmail-markdown-header-meeting-opening" style="margin:20px 0px 0px;padding:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-weight:400;font-stretch:normal;font-size:20px;line-height:1.5;font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;letter-spacing:-0.008em;color:rgb(23,43,77)">Meeting Opening</h2><ul style="margin:12px 0px 0px;padding:0px 0px 0px 40px;color:rgb(23,43,77);font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;font-size:14px"><li style="overflow-wrap: break-word;">Standard OpenID Foundation antitrust and IPR policy acknowledgements were reviewed</li><li style="margin:0px">Nat noted this is SC27 week and there was a memorial service for Andrew Nash from which Mike Jones is traveling home and contacted regarding absence</li></ul><h2 id="gmail-markdown-header-ongoing-and-upcoming-events" style="margin:20px 0px 0px;padding:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-weight:400;font-stretch:normal;font-size:20px;line-height:1.5;font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;letter-spacing:-0.008em;color:rgb(23,43,77)">Ongoing and Upcoming Events</h2><ul style="margin:12px 0px 0px;padding:0px 0px 0px 40px;color:rgb(23,43,77);font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;font-size:14px"><li style="overflow-wrap: break-word;"><strong>ISO/IEC JTC 1/SC 27:</strong> On Information security, cybersecurity and privacy protection</li><li style="margin:0px"><strong>ISO/IEC JTC 1/SC 44:</strong> On Consumer protection in the field of privacy by design</li><li style="margin:0px"><strong>IIW (Identity Identity Workshop):</strong> OpenID Foundation workshop on Monday before the main event</li><li style="margin:0px"><strong>OpenID Foundation Board Meeting:</strong> Thursday/Friday during IIW (offsite)</li><li style="margin:0px"><strong>Authenticate Conference:</strong> Week prior to IIW</li><li style="margin:0px"><strong>IETF Meeting:</strong> Two weeks after IIW</li><li style="margin:0px"><strong>Web Conference Lisbon:</strong> One week after IETF</li></ul><h2 id="gmail-markdown-header-key-discussion-items" style="margin:20px 0px 0px;padding:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-weight:400;font-stretch:normal;font-size:20px;line-height:1.5;font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;letter-spacing:-0.008em;color:rgb(23,43,77)">Key Discussion Items</h2><h3 id="gmail-markdown-header-1-openid-connect-key-binding-specification" style="margin:20px 0px 0px;padding:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-weight:400;font-stretch:normal;font-size:18px;line-height:1.38889;font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;letter-spacing:-0.006em;color:rgb(23,43,77)">1. OpenID Connect Key Binding Specification</h3><ul style="margin:12px 0px 0px;padding:0px 0px 0px 40px;color:rgb(23,43,77);font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;font-size:14px"><li style="overflow-wrap: break-word;"><strong>Status Update:</strong> Mike Jones sent out call for adoption for new draft specification just before the meeting</li><li style="margin:0px"><strong>Next Steps:</strong> Discussion to continue on mailing list</li><li style="margin:0px"><strong>Current State:</strong> Mixed arguments but no substantial opposition observed</li></ul><h3 id="gmail-markdown-header-2-pull-request-cryptojs-removal-andrii-deinega" style="margin:20px 0px 0px;padding:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-weight:400;font-stretch:normal;font-size:18px;line-height:1.38889;font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;letter-spacing:-0.006em;color:rgb(23,43,77)">2. Pull Request - CryptoJS Removal (Andrii Deinega)</h3><ul style="margin:12px 0px 0px;padding:0px 0px 0px 40px;color:rgb(23,43,77);font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;font-size:14px"><li style="overflow-wrap: break-word;"><strong>PR Link:</strong> <a href="https://bitbucket.org/openid/connect/pull-requests/753?link_source=email" rel="nofollow" style="color:rgb(12,102,228);text-decoration-line:none">https://bitbucket.org/openid/connect/pull-requests/753?link_source=email</a></li><li style="margin:0px"><strong>Description:</strong> Minor PR to remove dependency on CryptoJS library</li><li style="margin:0px"><strong>Rationale:</strong> CryptoJS is discontinued; modern JavaScript provides native cryptographic capabilities</li><li style="margin:0px"><strong>Status:</strong> Mike Jones approved weeks ago; seeking additional approvals for Thursday call merge</li><li style="margin:0px"><strong>Impact:</strong> Very minor change, can wait if needed</li></ul><h3 id="gmail-markdown-header-3-session-quota-management-proposal-andrii-deinega" style="margin:20px 0px 0px;padding:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-weight:400;font-stretch:normal;font-size:18px;line-height:1.38889;font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;letter-spacing:-0.006em;color:rgb(23,43,77)">3. Session Quota Management Proposal (Andrii Deinega)</h3><ul style="margin:12px 0px 0px;padding:0px 0px 0px 40px;color:rgb(23,43,77);font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;font-size:14px"><li style="overflow-wrap: break-word;"><strong>Issue Link:</strong> <a href="https://bitbucket.org/openid/connect/issues/2184/openid-connect-and-user-session-quotas-at" rel="nofollow" style="color:rgb(12,102,228);text-decoration-line:none">https://bitbucket.org/openid/connect/issues/2184/openid-connect-and-user-session-quotas-at</a></li><li style="margin:0px"><strong>Background:</strong> Previously discussed but deprioritized due to other urgent topics</li><li style="margin:0px"><strong>Core Concept:</strong><ul style="margin:0px;padding:0px 0px 0px 40px"><li style="overflow-wrap: break-word;">Allow RPs to specify session quota requirements in authorization requests</li><li style="margin:0px">Enable OPs to manage and enforce session limits (e.g., max 1-2 sessions per user)</li><li style="margin:0px">Provide flexibility for OPs to implement policies and user choices when quotas are reached</li></ul></li><li style="margin:0px"><strong>Benefits:</strong><ul style="margin:0px;padding:0px 0px 0px 40px"><li style="overflow-wrap: break-word;">Simplifies RP implementation by moving session management logic to OP</li><li style="margin:0px">Eliminates need for RPs to store user session information</li><li style="margin:0px">Provides more flexibility in quota enforcement policies</li></ul></li><li style="margin:0px"><strong>Use Case:</strong> Financial institutions requiring single-device sessions for security</li><li style="margin:0px"><strong>Feedback Requested:</strong> Working group input on proposal viability</li><li style="margin:0px"><strong>Action:</strong> Continue discussion in the GitHub issue</li></ul><h3 id="gmail-markdown-header-4-openid-federation-issues-michael-fraser" style="margin:20px 0px 0px;padding:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-weight:400;font-stretch:normal;font-size:18px;line-height:1.38889;font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;letter-spacing:-0.006em;color:rgb(23,43,77)">4. OpenID Federation Issues (Michael Fraser)</h3><p style="margin:12px 0px 0px;padding:0px;color:rgb(23,43,77);font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;font-size:14px">Three issues raised for working group attention:</p><h4 id="gmail-markdown-header-issue-246" style="margin:20px 0px 0px;padding:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;line-height:1.25"><font color="#172b4d" face="Atlassian Sans, ui-sans-serif, -apple-system, system-ui, Segoe UI, Ubuntu, Helvetica Neue, sans-serif"><span style="font-size:16px;font-weight:400;letter-spacing:-0.003em">Issue </span></font>#246</h4><ul style="margin:12px 0px 0px;padding:0px 0px 0px 40px;color:rgb(23,43,77);font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;font-size:14px"><li style="overflow-wrap: break-word;"><strong>Link:</strong> <a href="https://github.com/openid/federation/issues/246" rel="nofollow" style="color:rgb(12,102,228);text-decoration-line:none">https://github.com/openid/federation/issues/246</a></li><li style="margin:0px"><strong>Topic:</strong> Entity statement claim restrictions</li><li style="margin:0px"><strong>Concern:</strong> Current specification is overly permissive, allowing claims that should never have policies (e.g., client_secret)</li><li style="margin:0px"><strong>Request:</strong> Discussion on whether certain claims should be explicitly banned</li></ul><h4 id="gmail-markdown-header-issue-247" style="margin:20px 0px 0px;padding:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;line-height:1.25"><font color="#172b4d" face="Atlassian Sans, ui-sans-serif, -apple-system, system-ui, Segoe UI, Ubuntu, Helvetica Neue, sans-serif"><span style="font-size:16px;font-weight:400;letter-spacing:-0.003em">Issue </span></font>#247</h4><ul style="margin:12px 0px 0px;padding:0px 0px 0px 40px;color:rgb(23,43,77);font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;font-size:14px"><li style="overflow-wrap: break-word;"><strong>Link:</strong> <a href="https://github.com/openid/federation/issues/247" rel="nofollow" style="color:rgb(12,102,228);text-decoration-line:none">https://github.com/openid/federation/issues/247</a></li><li style="margin:0px"><strong>Topic:</strong> Trust marks text clarification</li><li style="margin:0px"><strong>Status:</strong> Pull request in progress for text improvements</li></ul><h4 id="gmail-markdown-header-issue-249" style="margin:20px 0px 0px;padding:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;line-height:1.25"><font color="#172b4d" face="Atlassian Sans, ui-sans-serif, -apple-system, system-ui, Segoe UI, Ubuntu, Helvetica Neue, sans-serif"><span style="font-size:16px;font-weight:400;letter-spacing:-0.003em">Issue </span></font>#249</h4><ul style="margin:12px 0px 0px;padding:0px 0px 0px 40px;color:rgb(23,43,77);font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;font-size:14px"><li style="overflow-wrap: break-word;"><strong>Link:</strong> <a href="https://github.com/openid/federation/issues/249" rel="nofollow" style="color:rgb(12,102,228);text-decoration-line:none">https://github.com/openid/federation/issues/249</a></li><li style="margin:0px"><strong>Topic:</strong> Trust mark status endpoint error handling</li><li style="margin:0px"><strong>Problem:</strong> No guidance for handling trust marks sent to non-issuing parties</li><li style="margin:0px"><strong>Discussion:</strong> Two approaches proposed:<ul style="margin:0px;padding:0px 0px 0px 40px"><li style="overflow-wrap: break-word;">Follow introspection pattern (return active: false for unknown tokens)</li><li style="margin:0px">Define specific error codes for unknown trust marks</li></ul></li><li style="margin:0px"><strong>Participants:</strong> Discussion ongoing with Gabrielle Zachman</li><li style="margin:0px"><strong>Request:</strong> Working group input on preferred approach</li></ul><h2 id="gmail-markdown-header-administrative-notes" style="margin:20px 0px 0px;padding:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-weight:400;font-stretch:normal;font-size:20px;line-height:1.5;font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;letter-spacing:-0.008em;color:rgb(23,43,77)">Administrative Notes</h2><ul style="margin:12px 0px 0px;padding:0px 0px 0px 40px;color:rgb(23,43,77);font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;font-size:14px"><li style="overflow-wrap: break-word;"><strong>Certification Team Update:</strong> Gail requested an update on the Federation spec finalisation timeline, but no certification team members were present</li></ul><h2 id="gmail-markdown-header-action-items" style="margin:20px 0px 0px;padding:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-weight:400;font-stretch:normal;font-size:20px;line-height:1.5;font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;letter-spacing:-0.008em;color:rgb(23,43,77)">Action Items</h2><ol style="margin:12px 0px 0px;padding:0px 0px 0px 40px"><li style="color:rgb(23,43,77);font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;font-size:14px"><strong>All:</strong> Continue OpenID Connect key binding specification discussion on mailing list</li><li style="color:rgb(23,43,77);font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;font-size:14px;margin:0px"><strong>Working Group:</strong> Review and provide feedback on Andrii's session quota management proposal (Issue <a href="https://bitbucket.org/openid/connect/issues/2184/openid-connect-and-user-session-quotas-at" rel="nofollow" style="color:rgb(12,102,228);text-decoration-line:none">#2184</a>)</li><li style="margin:0px"><strong style="color:rgb(23,43,77);font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;font-size:14px">Working Group:</strong><font color="#172b4d" face="Atlassian Sans, ui-sans-serif, -apple-system, system-ui, Segoe UI, Ubuntu, Helvetica Neue, sans-serif"><span style="font-size:14px"> Review Michael's three OpenID Federation issues (</span></font>#246, #247, #249<font color="#172b4d" face="Atlassian Sans, ui-sans-serif, -apple-system, system-ui, Segoe UI, Ubuntu, Helvetica Neue, sans-serif"><span style="font-size:14px">) and provide input</span></font></li><li style="color:rgb(23,43,77);font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;font-size:14px;margin:0px"><strong>Nat:</strong> Schedule follow-up discussion with Bjorn regarding SC27 topics</li><li style="color:rgb(23,43,77);font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;font-size:14px;margin:0px"><strong>Working Group:</strong> Continue discussions in respective GitHub issues rather than requiring meeting time</li></ol><h2 id="gmail-markdown-header-next-meeting" style="margin:20px 0px 0px;padding:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-weight:400;font-stretch:normal;font-size:20px;line-height:1.5;font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;letter-spacing:-0.008em;color:rgb(23,43,77)">Next Meeting</h2><ul style="margin:12px 0px 0px;padding:0px 0px 0px 40px;color:rgb(23,43,77);font-family:"Atlassian Sans",ui-sans-serif,-apple-system,"system-ui","Segoe UI",Ubuntu,"Helvetica Neue",sans-serif;font-size:14px"><li style="overflow-wrap: break-word;">Standard weekly schedule continues</li></ul></div>