[Openid-specs-risc] Call notes

Atul Tulshibagwale atul at sgnl.ai
Tue Dec 12 19:07:24 UTC 2023 

Hi all,
Here are the notes for today's call. They are also stored here:

-- 

<https://sgnl.ai>

Atul Tulshibagwale

CTO

<https://linkedin.com/in/tulshi> <https://twitter.com/zirotrust>
<atul at sgnl.ai>

WG Meeting: 2023-12-12
<https://hackmd.io/WtDE4Z2lQ7yQJxpfNSGTUA?view#Agenda>Agenda

   - Updated interop spec
   <https://sgnl-ai.github.io/caep-interop/caep-interoperability-profile-1_0.html>
-
   review and next steps
   - SSF / CAEP / RISC Implementations Status

<https://hackmd.io/WtDE4Z2lQ7yQJxpfNSGTUA?view#Attendees>Attendees

   - Atul Tulshibagwale (SGNL)
   - Phil Hunt (Independent ID)
   - Shayne Miel (Cisco)
   - Tim Cappalli (Microsoft)
   - Stan Bounev (VeriClouds)
   - Raymond Luo (Cisco)
   - Gail Hodges (OpenID)
   - Nancy Cam Winget (Cisco)
   - Tom Sato (VeriClouds)

<https://hackmd.io/WtDE4Z2lQ7yQJxpfNSGTUA?view#Notes>Notes
<https://hackmd.io/WtDE4Z2lQ7yQJxpfNSGTUA?view#Interop-Spec-Review-and-Next-Steps>Interop
Spec Review and Next Steps

   - Latest Interop Spec
   <https://sgnl-ai.github.io/caep-interop/caep-interoperability-profile-1_0.html>
   - (Shayne) The requirement for the spec to support both email and
   iss_sub, what does that mean for a Transmitter?
   - (Atul) I’ll clarify that it is meant for Receivers
   - (Phil) Between any two parties, since we don’t know what a relying
   party needs, we should be able to setup streams with different subject
   values
   - (Phil) A few years ago, Adam Dawes mentioned that there is no way 100s
   of thousands of OpenID clients agree on any one format
   - (Atul) The intent is to have a minimum standard so that your
   implementation can be called an “interoperable standard”
   - (Atul) Proposing to incorporate this into the SSWG GitHub and then
   request it to be voted on as an implementer’s draft. Is it too soon to do
   that?
   - (Nancy) This feels like more of a testing / certification draft rather
   than a WG output that needs to be voted on
   - (Gail) We have a separate exercise to develop the tests, so if this
   helps with that. If this is a guidance document, then it doesn’t need to be
   called a specification at all
   - (Nancy) This feels more like a set of configuration settings, rather
   than a new specification
   - (Gail) the FAPI group has something similar, we should check with them
   - (Stan) Why do we need this interoperability profile?
   - (Stan) Should we have a separate document, or can we just mark certain
   things as mandatory in the core spec?
   - (Nancy) It feels like some of the things should be mandatory in the
   specs themselves, but there are other things such as configuration
   settings, that should not be in the core spec
   - (Phil) What does it mean that an implementation “supports” an event?
   - (Atul) We cannot dictate how the products work, but the
   interoperability profile specifies that the software supports transmission
   or receiving of the events
   - (Phil)
   - (Nancy) A Receiver may not be the actual enforcer or processor of the
   event, but it can acknowledge the receipt of the event
   - (Shayne) So do we need a formalized way to codify that the event
   should be acknowledged
   - (Phil) Go to GitHub and search for GoSignals. It acts as a store and
   forward server. I have SCIM servers using it for replication. It is both
   Transmitter and a Receiver. It converts events from one format to another
   - (Atul) We could add language about acknowledging events in the interop
   profile
   - (Phil) We could have a testing harness that compares the jtis received
   and sent, and it should match
   - (Phil) There are three parts - an event generator, then a list of
   events that were sent or acknowledged, and then on the receiver side
   - (Stan) I have a question about the interoperability spec - we need to
   have “session revoked” or “credential change”
   - (Atul) These are the two events that have been identified, we can add
   more
   - (Mark) That has happened before, e.g. FAPI is an interop profile of
   OpenID Connect. High Assurance Interop Profile offers interoperability for
   Verifiable Credentials
   - (Gail) So the bottom line is that we should continue this as a
   specification, and the tests would get developed against that
   - (Mark) We have OIDC and FAPI conformance testing capability
   - (Gail) We should probably reconfirm with Joseph, but we have what we
   need to do in order to move forward

<https://hackmd.io/WtDE4Z2lQ7yQJxpfNSGTUA?view#SSF--CAEP--RISC-Implementations-Status>SSF
/ CAEP / RISC Implementations Status

   - (Stan) Can we get an update about some of the larger organizations
   that have already implemented these specs, and the use-cases that they have
   implemented
   - (Sean) It’s correct that larger organizations have implemented, but
   their customers are not able to interoperate with them, which is not yet
   possible
   - (Sean) Today I have to do so much proprietary work, I would just like
   to use SSF as a customer of these organizations

<https://hackmd.io/WtDE4Z2lQ7yQJxpfNSGTUA?view#Certification--Interoperability-Testing>Certification
/ Interoperability Testing

   - (Atul) The Gartner interoperability testing is going to be an
   intermediate step to full certification
   - (Shayne) So what will people actually see when they say they
   interoperate?
   - (Tim) You could have an overly verbose presentation that animates all
   the steps
   - (Sean) We did a vanilla app, that showed how a simple client called a
   session revoked and it showed you could no longer use the services
   - (Tim) We did a customer keynote at a previous job, and built a basic
   bot that sent notifications.
   - (Sean) You could use caep.dev to show the interop

<https://hackmd.io/WtDE4Z2lQ7yQJxpfNSGTUA?view#Co-chair>Co-chair

   - (Gail) Annabelle has been inactive for personal and work reasons
   - (Gail) The WG can take a decision to change her status as a co-chair,
   and have one or more co-chairs to come in.
   - (Gail) We can take a consensus decision if there is sufficient
   participation
   - (Atul) Should we ask Annabelle to step down, just like we did for
   Marius
   - (Gail) Any comments from Shayne about stepping up to be co-chair
   - (Shayne) Happy to, I’m already working with Tim and Atul closely on
   the editing and administration
   - (Gail) If anyone else is interested, please speak up / contact Gail
   - (Phil) I’d like to second Shayne’s nomination
   - (Sean) Thumbs up for Shayne’s nomination

<https://hackmd.io/WtDE4Z2lQ7yQJxpfNSGTUA?view#Action-Items>Action Items

   - Gail to start the process to effect the co-chair change by asking
   Annabelle
   - Atul to clarify in the interop profile that support for subject types
   is expected only of Receivers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20231212/8bf74994/attachment-0001.html>

More information about the Openid-specs-risc mailing list