[Openid-specs-ipsie] IPSIE Meeting Notes - March 11, 2025

Tue Mar 11 21:47:46 UTC 2025

Below are the meeting notes from today’s call.  As a reminder, we will not
be having a call on the 18th due to IETF 122 in Bangkok.

Please make sure you read the draft
<https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html>
for using OIDC at SL1 and the issues tagged for SL1
<https://github.com/openid/ipsie/labels/sl1> in GitHub.  During the next
two weeks, we’ll make progress asynchronously through the mailing list and
GitHub issues.

-dhs

—

# IPSIE WG Meeting Minutes
Date: 2025-03-11

## Attendees
- Dean H. Saxe (Beyond Identity)
- Sean Miller (RSA)
- Kenn Chong (RSA)
- Jon Bartlett (Zscaler)
- Matt Topper (UberEther)
- Bjorn Hjelm (Yubico)
- Tom Clancy (MITRE)
- Robin Martherus (Cisco)
- Dick Hardt (Hellō)
- Karl McGuinness (Self)
- Vatsal Gupta (Apple)
- Filip Skokan (Okta)
- Victor Lu (Independent)
- Jen Schreiber (Workday)
- JD Pawar (Workday)
- Travis Tripp (HPE)

## Agenda

- Welcome and antitrust policy reminder
- OpenID Contributor Agreement reminder
https://openid.net/intellectual-property
- Reminder about OpenID Slack
    - invite link:
https://join.slack.com/t/oidf/shared_invite/zt-30zg9louv-3HgJEwIL7vB3uWv2KEbLtw
- Update on upcoming call schedule - no call March 18 due to IETF
- Review OpenID and SAML SL1 profiles
    - OpenID SL1 Editor's Copy -
https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html

      - Open issues - https://github.com/openid/ipsie/labels/sl1
    - SAML SL1

Notetaker: Tom Clancy

## Minutes

- Antitrust policy reminder
- Slack invite link updated as of last night
- Call schedule updates - no call for March 18 due to IETF
    - IIW week schedule TBD, likely to cancel or move to a new day to
minimize conflict
    - Keep the conversation going during the gap by communicating on Slack
- Start reviewing SL1 profile for OpenID -- editor's copy
- Already some discussion on GitHub, Slack, etc on issues
- Dean: let's start by collecting feedback on the draft
    - Dick, Karl, others have already indicated there is feedback, others?
- Karl: I opened a GitHub issue https://github.com/openid/ipsie/issues/61
    - Do we want to start with the strongest foundation, such as FAPI2, or
are we starting with a more accessible profile?
    - SAML, as example, doesn't require confidential clients -- how do we
want to begin?
    - Do we want to address broader delegated access use cases?
- Filip: I don't have an answer on whether SL1 should allow public clients
    - Attacker model drives requirements in FAPI... What would attacker
model say to drive public client
    - SAML flow is more analogous to response_type=id_token which results
in no access tokens issued, the need for client auth likely mostly stems
from protecting the issuance of access tokens to protected resources. If
SL1 is not about resource access then we should not use flows that result
in issued access tokens
-

--
Dean H. Saxe, CIDPRO <https://idpro.org/cidpro/> (he/him)
Principal Engineer
Office of the CTO
Beyond Identity
dean.saxe at beyondidentity.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ipsie/attachments/20250311/0a4064c2/attachment.htm>