[Openid-specs-risc] Call notes

Atul Tulshibagwale atul at sgnl.ai
Tue Feb 7 19:03:51 UTC 2023 

Hi all,
Here are the notes from today's call. They are also stored here
<https://hackmd.io/@oidf-wg-sse/wg-meeting-20230207>:

Thanks,
Atul

--

<https://sgnl.ai/>

Atul Tulshibagwale

CTO

<https://linkedin.com/in/tulshi> <https://twitter.com/zirotrust>
<atul at sgnl.ai>


WG Meeting: 2023-02-07
<https://hackmd.io/e7_DlOVlQ9yNB_0-7ecwZA?view#Agenda>Agenda

   - [Atul] PR Update
   - Any New Inputs
   - [Eric] Stream Configuration Question

<https://hackmd.io/e7_DlOVlQ9yNB_0-7ecwZA?view#Attendees>Attendees

   - Atul Tulshibagwale (SGNL)
   - Greg Brown (Axiad)
   - Vinayak Shenoy (Okta)
   - Shayne Miel (Cisco)
   - Eric Karlinsky (Okta)
   - Debora Comparin (Thales)
   - Stan Bounev (VeriClouds)
   - Edmund Jay ()
   - Hemil (Yahoo)
   - Frank Taylor (VMware)
   - Mike Kiser (SailPoint)
   - Steve Venema (ForgeRock)
   - Gail Hodges (OIDF)
   - Matt Topper ()

<https://hackmd.io/e7_DlOVlQ9yNB_0-7ecwZA?view#Notes>Notes
<https://hackmd.io/e7_DlOVlQ9yNB_0-7ecwZA?view#PR-Update>PR Update

   - One more pull request in the works

<https://hackmd.io/e7_DlOVlQ9yNB_0-7ecwZA?view#Use-Cases>Use Cases

   - Frank would like to get involved in the use-cases discussion
   - How customers connect this technology to the various products they are
   buying. How does VMWare play in that space, and how do customers integrate
   - We do not have a clear view into how various products use various
   events.
   - We should start with the older use-case document and make it current
   to reflect the current interest from the WG
   - We should aim for interoperability testing between products
   - There are some private efforts of interoperability testing
   - It will help for implementers to showcase this technology
   - Two levels of interop: technical interop and value demonstration
   - An “Architecture Document” could be really useful
   - There is a Catch-22 with this standard right now: There is hesitation
   because the use-cases are not clear, and because use-cases are not clear
   there is hesitation
   - What is the consensus around how each of these CAEP events would work.
   There are just 5, so it should be doable.
   - Eric Karlinsky can take the lead, Steve Venema, Stan Bounev, Frank
   Taylor, Vinayak Shenoy and Atul Tulshibagwale can help.
   - Is anyone aware of OIX? They have a Guide to Shared Signals (Aug 2022)
   - NIST has an interest in using RISC events
   - Current doc that could serve as background is here
   <https://docs.google.com/document/d/1tmMqiXNB-lW9HXIzrivOvaFSts23zAzKLWPcSD740kE/edit#heading=h.fsduc31pruxn>

<https://hackmd.io/e7_DlOVlQ9yNB_0-7ecwZA?view#Slack-Channel-Update>Slack
Channel Update

   - OIDF cannot affort the cost of the Slack channel
   - Free version deletes messages after 90 days
   - So we can have informal discussions on Slack, but any formal
   communication needs to be through the Listserv
   - Some entities are not allowed to use Slack
   - OIDF is looking for an alternative to Slack
   - Reach out to Mike Leszcz mike.leszcz at oidf.org to get yourself added.
   -

<https://hackmd.io/e7_DlOVlQ9yNB_0-7ecwZA?view#Stream-Configuration-Question>Stream
Configuration Question

   - When there are multiple subject entities in a complex subject,
   - There needs to be more precise specification of a list of users in a
   subject definition.
   - [Shayne] If you want to specify multiple subjects, the spec allows for
   it. Q: How? Add Subject only taks one subject
   - Okta would like to know the specific list of IDs for whom the events
   need to be sent, which cannot be achieved by specifying it as a general
   “tenant”
   - This comes down to the use-case: Who is the Transmitter, what is your
   relationship. One may have different Transmitters for device management and
   user identities, and the streams with those Transmitters would cover all
   members of the respective tenants
   - This might work for simpler organizations, but for complex
   organizations, this abstraction may fail
   - Is the ask that there should be multiple subjects in the same “add
   subject” event? A: It could be a group of users within a tenant.
   - There is a “group” subject type. But the Tx and Rx would need to agree
   on the group membership.
   - Wouldn’t this even be true of user identities? Tx and Rx need to know
   that they’re talking about the same user when they pass a shared identifier.
   - Yes, there needs to be agreement, but there needs to be an extra level
   of coordination between Tx and Rx in the group case
   - In agreeing to the group membership, Tx and Rx may share user Ids, so
   that exchange could be used instead of the group.
   - Could SCIM be used for group membership agreement
   - One more approach: Use the Receiver to make “add event” calls to
   specific members instead of the whole group
   - There’s a job to be done between the Rx and Tx about group membership
   agreement. That can be done by just adding individual members to the
   stream, or it can be done out-of-band, and then referred to in the protocol
   - If instead, there was an “add subject” method that allowed multiple
   subjects to be added together, it could be easier.
   - Pre-agreed groupings are a higher complexity than user-identity (it
   would seem)
   - There is a transactionality to it: An add-event with multiple members
   is an all-or-nothing semantic, whereas multiple add-events could result in
   some being added and some failing to be added
   - “Cold start problem” - SCIM could be useful, but is there a way to
   avoid that dependency
   - Perhaps we can tackle this as a part of the use-cases work

<https://hackmd.io/e7_DlOVlQ9yNB_0-7ecwZA?view#IIW-WG-Meeting>IIW WG Meeting

   - Atul to send out a form to solicit interest in the in-person meeting
   on the Monday before IIW Spring 2023
   - We should arrive at an agenda for this meeting
   - The OIDF workshop covers all workgroups’ activities, but this WG
   meeting would be separate and we would talk about specific agenda items
   that are interesting specifically to the WG members
   - This can be an agenda item for the next meeting
   - Hybrid is also a possibility
   - Confirm if it’s in SF or Mt View
   -

<https://hackmd.io/e7_DlOVlQ9yNB_0-7ecwZA?view#Action-Items>Action Items

   - Atul to reach out to Asad (Thales) to get the use-cases document
   - Gail and Steve to discuss OIX approach
   - Eric and Atul to talk about previous work
   - Atul to send out a form to gauge interest in an in-person meeting
   around IIW Spring 2023
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20230207/6acd50ca/attachment-0001.html>

More information about the Openid-specs-risc mailing list