[Openid-specs-risc] Call notes

[Atul Tulshibagwale]

Hi all,
Here are the notes from today's call. They are also stored here
<https://hackmd.io/@oidf-wg-sse/wg-meeting-20250527>.

Atul

-- 

 Atul Tulshibagwale

 CTO

  <https://www.linkedin.com/in/tulshi/> <atul at sgnl.ai>
---
WG Meeting: 2025-05-27 <#Agenda>Agenda

   - Messaging at Identiverse
   - Prescriptive / non-prescriptive nature
   - Clean up PR

<#Attendees>Attendees

   - Atul Tulshibagwale (SGNL)
   - John Marchesini (Jamf)
   - Sean O'Dell (Disney)
   - Yair Sarig (Omnissa)
   - Vladimir Slesarev (CyberArk)
   - Mike Kiser (SailPoint)
   - Stan Bounev (Blue Label)
   - George Fletcher (Independent / Great Guy)
   - Jen Schreiber (Workday)

<#Notes>Notes <#Messaging-at-Identiverse>Messaging at Identiverse

   - (Sean) What can we say about the "final" status of the specs at
   Identiverse
   - (Atul) Informally, we can claim that we are about to send out the last
   call for a V1 final for SSF.
   - (Atul) What is exactly in final…there might be some questions about it
   but we have doc history we can reference in the latest draft.

<#Prescriptive--non-prescriptive-nature>Prescriptive / non-prescriptive
nature

   - (Sean) I get asked about whether SSF can be used in a prescriptive way
   - (George) I always have to talk about it in IPSIE and OpenID Connect
   meetings
   - (Sean) Introducing a "Policy Events" profile or something like that
   would help in this regard
   - (Mike) We also need to be agressive about it because on IPSIE they
   were aligning OP Commands to their metrics (IL1/IL2, etc.)
   - (Atul) We could bring in George's issue
   <https://github.com/openid/sharedsignals/issues/255> to v1Final
      - (George) Since it's non-normative, we could bring it in
      - (George) The argument centers around the SET spec saying something
      about SETs being informational
      - (Atul) by definition you cant assume a SET is a command but
      semantics can be interpereted as such (to be prescriptive)
      - (Sean) I say lets add it in to v1 Final to send a message about
      applicability
      - (George) Don't want to be constrained about cross domain trust, in
      reference to IPSIE. When an RP is integrated into your IdP you
arent really
      crossing trust domains. You should be able to be prescriptive in that
      context.
      - (Atul) not sure it relates to cross domain trust. Just receiving a
      SET does not mean you ahve to "obey" it. Comes back to semantics and
      definition.
      - (George) if you are in a federation of 2 trust domains you can have
      prescriptive behavior, but tend to be informational.
      - (Sean) I disagree about first part integrations (RP's) with an IdP
      being informative. When an enterprise integrates with an RP, like a
      Salesforce or ServiceNow, it is under the context of the enterprises
      security guidelines and policies. With that said, if a CAEP
event is issued
      by the IdP or SSF Transmitter to an integrated RP, as listed above, it is
      not an inform…it is a prescription to perform the requested action
      and inform the IdP when it is done.

<#Clean-up-PR>Clean up PR

   - (Jen) Please review my clean up PR
   <https://github.com/openid/sharedsignals/pull/266>
   - (Jen) Please use the markdown linter when you write your PRs so that
   we don't have to do this again.
   - (Atul) Could you please update the Makefile to have a new target to
   run the markdown linter
   - (Yair) Perhaps also update the README?
   - (Jen) Sure (to both)
   - (Jen) Please turn off the white space diffs when you review, it makes
   the reviewing process easier.

<#Action-Items>Action Items

   - (Sean) to address issue 255 (prescriptive semantics on top of SSF) in
   the SSF draft.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20250527/ede5b3f1/attachment.htm>