[Openid-specs-risc] Call notes - and a call to action

Tue Jan 9 19:33:11 UTC 2024

Hi all,
Here are the call notes from today's call - thanks to Shayne for taking
these notes. They are also stored here
<https://hackmd.io/@oidf-wg-sse/wg-meeting-20240109>.

One question I would like to draw everyone's attention to is whether they
are in favor of appointing the following two as co-chairs:

   - Shayne Miel (Cisco) - who has contributed extensively to the SSF ID-2
   spec
   - Sean O'Dell (Disney) - who has implemented SSF / CAEP internally at
   Disney and has been active on the WG calls recently

Please respond by email to one of the current co-chairs (Tim or me) with
your thoughts.

Thanks,
Atul

-- 

<https://sgnl.ai>

Atul Tulshibagwale

CTO

<https://linkedin.com/in/tulshi> <https://twitter.com/zirotrust>
<atul at sgnl.ai>

--

WG Meeting: 2024-01-09
<https://hackmd.io/sM1Fd_WDSWaSfRepSh20Xw?view#Agenda>Agenda

   - New co-chairs
   - Interoperability meetings
   - Apoorva’s Interoperability spec PR
   <https://github.com/openid/sharedsignals/pull/134>
   - Opaque format PR <https://github.com/openid/sharedsignals/pull/137>

<https://hackmd.io/sM1Fd_WDSWaSfRepSh20Xw?view#Attendees>Attendees

   - Atul Tulshibagwale (SGNL)
   - Apoorva Deshpande (Okta)
   - Tom Sato (VeriClouds)
   - Shayne Miel (Cisco)
   - Peter Travers (MongoDB)
   - Mike Kiser (SailPoint)
   - Stan Bounev (VeriClouds)
   - Sean O’Dell (Disney)

<https://hackmd.io/sM1Fd_WDSWaSfRepSh20Xw?view#Notes>Notes
<https://hackmd.io/sM1Fd_WDSWaSfRepSh20Xw?view#Apoorva%E2%80%99s-Interoperability-spec-PR>Apoorva’s
Interoperability spec PR <https://github.com/openid/sharedsignals/pull/134>

   - Apoorva: Adds details about how OAuth will be helpful
   - Apoorva: Details around the scopes, TLS version, flows
   - Shayne: Downplay how much the interop is “about” OAuth, as per Atul’s
   feedback
   - Atul: Instead of saying this is a profile of OAuth, let’s say this
   specifies a profile of an OAuth server when used with an SSF Transmitter

<https://hackmd.io/sM1Fd_WDSWaSfRepSh20Xw?view#Opaque-format-PR>Opaque
format PR <https://github.com/openid/sharedsignals/pull/137>

   - Shayne: If we want verification events, we must provide opaque ID
   subjects for the stream ID
   - Apoorva: Can we specify that we *only* support opaque for the
   verification event?

<https://hackmd.io/sM1Fd_WDSWaSfRepSh20Xw?view#New-co-chairs>[New co-chairs]

   - Atul: We’ve asked Anabelle to step down and she has agreed
   - Atul: Shayne Miel and Sean O’Dell are interested in stepping up as
   co-chairs
   - Atul: We’ll send out an email about proposal and next meeting make it
   official
   - Apoorva: Do co-chairs need to be limited to a single working group?
   - Atul: That’s a question for Gail

<https://hackmd.io/sM1Fd_WDSWaSfRepSh20Xw?view#Interoperability-meetings>[Interoperability
meetings]

   - Atul: Interest from Cisco (Duo), Cisco (Webex), Okta, SGNL,
   VeriClouds, SailPoint, Disney
   - Atul: We need to agree what are the use cases
   - Atul: Need to identify what changes need to be made to the interop spec
   - Atul: Propose 30 min every week to work on interop (first 30 min of
   standard biweekly meeting and an additional 30 minutes on off-weeks)
   - Mike: What are the details of the event?
   - Atul: Gartner providing venue, there is a session (Atul is speaker),
   Gartner is providing a room where implementors can demo their Transmitters
   and Receivers
   - Atul: Implementations do not have to be production code. Prototypes
   are ok
   - Apoorva: What should we do about versions for CAEP?

<https://hackmd.io/sM1Fd_WDSWaSfRepSh20Xw?view#Use-Cases>[Use Cases]

   - Stan: When promoting SSF/CAEP/RISC, it would help to know the use cases
   - Stan: We want to move from just the events to a full end-to-end use
   case. Tell a story about an org that wants to increase security and how
   these tools can make that easier.
   - Atul: All of the events are about security, but the use case varies
   from event to event and company to company.
   - Atul: Agree that we do need to have these end-to-end use cases on the
   SSF website.
   - Stan: We can share the use cases we are building around.
   - Sean: Use cases have been golden for us
   - Shayne: Do we want to add info about why SSF is important here, in
   terms of re-usability etc
   - Sean: Yes, and the openness of the standard
   - Stan: Are we doing something secure when transmitting these
   potentially sensitive events?
   - Sean: If it is internal within your company, a signed JWT is fine. If
   it is external it should be a JWE. But then you have to swap certificates,
   etc. It also depends on how sensitive the data in the event is.
   - Stan: Thoughts about using CAEP for CIAM use cases?
   - Sean: Assume you subscribe to a streaming service. Whenever it seems
   like someone has logged into your account, they sign you out of everything.
   But with SSF we could use Session-Revoked with a device identifier and only
   log you out of specific devices. This does 2 things: lets your user know
   you care and lets you collect feedback from users about false positives

<https://hackmd.io/sM1Fd_WDSWaSfRepSh20Xw?view#Tokyo-OpenID-event>[Tokyo
OpenID event]

   - Tom: Next Thursday there is an OpenID hybrid workshop in Tokyo. We’ll
   be there giving an overview of SSF and what VeriClouds has been working on.
   - Tom: On Friday, the OpenID Japan summit. More than 300 people
   attending. FIDO did a large meeting last month. At the summit, Tom will be
   talking about SSF, including info about the interop event.

<https://hackmd.io/sM1Fd_WDSWaSfRepSh20Xw?view#Action-Items>Action Items

   - Shayne: Update Opaque PR to limit to verification event only
   - Apoorva: Add versioning info re: CAEP to the interop spec
   - Stan/Sean: Add use cases to repo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20240109/e8dee5b7/attachment-0001.html>