<div dir="ltr">Hi all,<div>Here are today's call notes, also <a href="https://hackmd.io/@oidf-wg-sse/wg-meeting-20220419">stored here</a>.</div><div><br></div><div><div id="gmail-doc" class="gmail-container-fluid gmail-markdown-body gmail-comment-enabled" style="box-sizing:border-box;padding:40px 15px 80px;margin-right:auto;margin-left:auto;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;line-height:1.5;max-width:760px;color:rgb(51,51,51);letter-spacing:0.35px;overflow:visible"><h1 class="gmail-part" id="gmail-WG-Meeting-2022-04-19" style="box-sizing:border-box;border-bottom:1px solid rgb(238,238,238);margin:0px 0px 16px;font-family:inherit;line-height:1.25;color:inherit;padding-bottom:0.3em"><span style="box-sizing:border-box">WG Meeting: 2022-04-19</span></h1><h2 class="gmail-part" id="gmail-Agenda" style="box-sizing:border-box;border-bottom:1px solid rgb(238,238,238);font-family:inherit;line-height:1.25;color:inherit;margin-top:24px;margin-bottom:16px;padding-bottom:0.3em"><a class="gmail-anchor gmail-hidden-xs" href="https://hackmd.io/@oidf-wg-sse/wg-meeting-20220419#Agenda" title="Agenda" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1"><span class="gmail-octicon gmail-octicon-link" style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">Agenda</span></h2><ul class="gmail-part" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em"><li class="gmail-" style="box-sizing:border-box"><span style="box-sizing:border-box">Intros and Reintros</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Gail & OIDF Workshop at IIW</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Quick Overview: HackMD</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Token revocation use case {Tim}</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Complex subject into its own spec? {Tim}</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">eKYC use case for Token Claims Change {Tim}</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">RISC draft review period {Atul}</span></li></ul><h2 class="gmail-part" id="gmail-Attendees" style="box-sizing:border-box;border-bottom:1px solid rgb(238,238,238);font-family:inherit;line-height:1.25;color:inherit;margin-top:24px;margin-bottom:16px;padding-bottom:0.3em"><a class="gmail-anchor gmail-hidden-xs" href="https://hackmd.io/@oidf-wg-sse/wg-meeting-20220419#Attendees" title="Attendees" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1"><span class="gmail-octicon gmail-octicon-link" style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">Attendees</span></h2><ul class="gmail-part" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em"><li class="gmail-" style="box-sizing:border-box"><span style="box-sizing:border-box">Atul Tulshibagwale (SGNL)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Tim Cappalli (Microsoft)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Monty Wiseman ()</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Nancy Cam Winget (Cisco)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Gail Hodges (OpenID Foundation)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Asad Ali (Thales)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Tom Sato (VeriClouds)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Frank Taylor (VMWare)</span></li></ul><h2 class="gmail-part" id="gmail-Notes" style="box-sizing:border-box;border-bottom:1px solid rgb(238,238,238);font-family:inherit;line-height:1.25;color:inherit;margin-top:24px;margin-bottom:16px;padding-bottom:0.3em"><a class="gmail-anchor gmail-hidden-xs" href="https://hackmd.io/@oidf-wg-sse/wg-meeting-20220419#Notes" title="Notes" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1"><span class="gmail-octicon gmail-octicon-link" style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">Notes</span></h2><h3 class="gmail-part" id="gmail-OIDF-Workshop-at-IIW" style="box-sizing:border-box;font-family:inherit;line-height:1.25;color:inherit;margin-top:24px;margin-bottom:16px;font-size:1.25em"><a class="gmail-anchor gmail-hidden-xs" href="https://hackmd.io/@oidf-wg-sse/wg-meeting-20220419#OIDF-Workshop-at-IIW" title="OIDF-Workshop-at-IIW" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1"><span class="gmail-octicon gmail-octicon-link" style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">OIDF Workshop at IIW</span></h3><p class="gmail-part" style="box-sizing:border-box;margin:0px 0px 16px"><span style="box-sizing:border-box">Key Message to share with the workshop group</span></p><ul class="gmail-part" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em"><li class="gmail-" style="box-sizing:border-box"><span style="box-sizing:border-box">Refresher on SSE and its activities</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Use cases</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Plans for the rest of the year</span></li></ul><p class="gmail-part" style="box-sizing:border-box;margin:0px 0px 16px"><span style="box-sizing:border-box">Token Revocation Talk</span></p><ul class="gmail-part" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em"><li class="gmail-" style="box-sizing:border-box"><span style="box-sizing:border-box">Could token revocation be a separate event?</span></li></ul><p class="gmail-part" style="box-sizing:border-box;margin:0px 0px 16px"><span style="box-sizing:border-box">Sushi Dinner hosted by VeriClouds / Tom Sato!</span></p><ul class="gmail-part" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em"><li class="gmail-" style="box-sizing:border-box"><span style="box-sizing:border-box">Message Tom if you would like to go</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Sunday night</span></li></ul><h3 class="gmail-part" id="gmail-HackMD" style="box-sizing:border-box;font-family:inherit;line-height:1.25;color:inherit;margin-top:24px;margin-bottom:16px;font-size:1.25em"><a class="gmail-anchor gmail-hidden-xs" href="https://hackmd.io/@oidf-wg-sse/wg-meeting-20220419#HackMD" title="HackMD" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1"><span class="gmail-octicon gmail-octicon-link" style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">HackMD</span></h3><ul class="gmail-part" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em"><li class="gmail-" style="box-sizing:border-box"><span style="box-sizing:border-box">Any feedback on HackMD?</span></li></ul><h3 class="gmail-part" id="gmail-Token-Revocation-Use-Case" style="box-sizing:border-box;font-family:inherit;line-height:1.25;color:inherit;margin-top:24px;margin-bottom:16px;font-size:1.25em"><a class="gmail-anchor gmail-hidden-xs" href="https://hackmd.io/@oidf-wg-sse/wg-meeting-20220419#Token-Revocation-Use-Case" title="Token-Revocation-Use-Case" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1"><span class="gmail-octicon gmail-octicon-link" style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">Token Revocation Use Case</span></h3><ul class="gmail-part" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em"><li class="gmail-" style="box-sizing:border-box"><p style="box-sizing:border-box;margin:16px 0px"><span style="box-sizing:border-box">Add event named “token-revoked”, contains the SAML assertion Id or “jti” claim</span></p></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><p style="box-sizing:border-box;margin:16px 0px"><span style="box-sizing:border-box">What other fields should be included</span></p></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><p style="box-sizing:border-box;margin:16px 0px"><span style="box-sizing:border-box">The only other mechanism that exists is the OAuth token revocation spec, which has some limimtations</span></p></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><p style="box-sizing:border-box;margin:16px 0px"><span style="box-sizing:border-box">What about similar other use cases: step-up and SCIM updates? Those seem unrelated, becuase they are prescriptive and not descriptive</span></p></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><p style="box-sizing:border-box;margin:16px 0px"><span style="box-sizing:border-box">Token revocation could be “this is an action that has occured, and you can do what you want with it”. The SCIM event could be similar</span></p></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><p style="box-sizing:border-box;margin:16px 0px"><span style="box-sizing:border-box">Are there best practice issues with conflating SCIM provisioning with SSE updates?</span></p></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><p style="box-sizing:border-box;margin:16px 0px"><span style="box-sizing:border-box">The SSE event could be an observation that “there is a group membership change”</span></p></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><p style="box-sizing:border-box;margin:16px 0px"><span style="box-sizing:border-box">Having a SCIM receiver ignore SSE notifications could be disastrous</span></p></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><p style="box-sizing:border-box;margin:16px 0px"><span style="box-sizing:border-box">Consumers other than IdPs or IAMs could use the SSE updates</span></p></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><p style="box-sizing:border-box;margin:16px 0px"><span style="box-sizing:border-box">Two peers may use SCIM for different purposes. One could be IdP, but another could be serving other functions beyond IdP and IAM (e.g. SaaS provider, vulnerability assessor)</span></p></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><p style="box-sizing:border-box;margin:16px 0px"><span style="box-sizing:border-box">We can define the intent and usage, but actual implementations may use the same protocol features in other ways</span></p></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><p style="box-sizing:border-box;margin:16px 0px"><span style="box-sizing:border-box">CAEP is currently descriptive: A recipient can do anything they want</span></p></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><p style="box-sizing:border-box;margin:16px 0px"><span style="box-sizing:border-box">How is a “token revocation” different from a “session revocation”:</span></p><ul style="box-sizing:border-box;margin-top:0px;margin-bottom:0px;padding-left:2em"><li class="gmail-" style="box-sizing:border-box"><span style="box-sizing:border-box">Not all relying parties treat the IdP’s view of the world as far as sessions is concerned, whereas a token revocation would mean the recipient should revoke all sessions associate with the token</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Currently, there is scope for ambiguity, so a tageted event for token revocation would be good to remove such ambiguity</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Receiver of the event may not be an IdP</span></li></ul></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><p style="box-sizing:border-box;margin:16px 0px"><span style="box-sizing:border-box">We need more discussion on other events (step up may already be present, SCIM related event needs discussion)</span></p></li></ul><h3 class="gmail-part" id="gmail-Complex-Subjects-into-its-own-Spec" style="box-sizing:border-box;font-family:inherit;line-height:1.25;color:inherit;margin-top:24px;margin-bottom:16px;font-size:1.25em"><a class="gmail-anchor gmail-hidden-xs" href="https://hackmd.io/@oidf-wg-sse/wg-meeting-20220419#Complex-Subjects-into-its-own-Spec" title="Complex-Subjects-into-its-own-Spec" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1"><span class="gmail-octicon gmail-octicon-link" style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">Complex Subjects into its own Spec</span></h3><ul class="gmail-part" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em"><li class="gmail-" style="box-sizing:border-box"><span style="box-sizing:border-box">EKYC group wants to use the complex subject spec</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">They initially created one big spec and split it out</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">They are interested in splitting out the complex subject spec so that they could reuse it</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Mutually beneficial</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Should keep the complex subject spec in OpenID for now</span></li></ul><h3 class="gmail-part" id="eKYC-group-interest-in-SSE" style="box-sizing:border-box;font-family:inherit;line-height:1.25;color:inherit;margin-top:24px;margin-bottom:16px;font-size:1.25em"><a class="gmail-anchor gmail-hidden-xs" href="https://hackmd.io/@oidf-wg-sse/wg-meeting-20220419#eKYC-group-interest-in-SSE" title="eKYC-group-interest-in-SSE" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1"><span class="gmail-octicon gmail-octicon-link" style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">eKYC group interest in SSE</span></h3><ul class="gmail-part" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em"><li class="gmail-" style="box-sizing:border-box"><span style="box-sizing:border-box">Use case: Pending verification. User signs-in, RP requests “verify X claim”. Could they use SSE to notify the RP?</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">It is a “token claims change”, but it deviates in that the current event supports changing any claim in the token.</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">The eKYC don’t want to send a new value in the event, but request the RP to obtain a new token</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Can we add an additional optional flag to the event that has a value “userInfo”, which requires the RP to go fetch the claims again</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Is this actually a “token claims change?”</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Separate use case: Could the “token claims change” event contain a new ID Token that the RP can use</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">We probably need to get the OIDC group’s views on this</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">In person discussion at OSW and EIC (Berlin May 10-13)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Is using the “token claims change” value with a claim that didn’t previously exist in the token a legitimate use case? Yes, because you can today send a token claims change event with new claims.</span></li></ul><h3 class="gmail-part" id="gmail-RISC-Review-Period" style="box-sizing:border-box;font-family:inherit;line-height:1.25;color:inherit;margin-top:24px;margin-bottom:16px;font-size:1.25em"><a class="gmail-anchor gmail-hidden-xs" href="https://hackmd.io/@oidf-wg-sse/wg-meeting-20220419#RISC-Review-Period" title="RISC-Review-Period" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1"><span class="gmail-octicon gmail-octicon-link" style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">RISC Review Period</span></h3><ul class="gmail-part" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em"><li class="gmail-" style="box-sizing:border-box"><span style="box-sizing:border-box">Reach out again to Mike Jones to start the review</span></li></ul><h2 class="gmail-part" id="gmail-Action-Items" style="box-sizing:border-box;border-bottom:1px solid rgb(238,238,238);font-family:inherit;line-height:1.25;color:inherit;margin-top:24px;padding-bottom:0.3em;margin-bottom:0px"><a class="gmail-anchor gmail-hidden-xs" href="https://hackmd.io/@oidf-wg-sse/wg-meeting-20220419#Action-Items" title="Action-Items" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1"><span class="gmail-octicon gmail-octicon-link" style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a></h2></div></div></div>