<div dir="ltr">Hi all,<br><div>Thanks for attending the working group call today. Here are the notes (also stored <a href="https://hackmd.io/qbrLUwMORES9yEhaVLypOA">here</a>):</div><div><br></div><div><h1 class="gmail-part" id="gmail-WG-Meeting-2022-06-28" style="box-sizing:border-box;border-bottom:1px solid rgb(238,238,238);margin:0px 0px 16px;font-family:inherit;line-height:1.25;color:inherit;padding-bottom:0.3em"><span style="box-sizing:border-box">WG Meeting: 2022-06-28</span></h1><h2 class="gmail-part" id="gmail-Agenda" style="box-sizing:border-box;border-bottom:1px solid rgb(238,238,238);font-family:inherit;line-height:1.25;color:inherit;margin-top:24px;margin-bottom:16px;padding-bottom:0.3em"><a class="gmail-anchor gmail-hidden-xs" href="https://hackmd.io/qbrLUwMORES9yEhaVLypOA?view#Agenda" title="Agenda" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1"><span class="gmail-octicon gmail-octicon-link" style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">Agenda</span></h2><ul class="gmail-part" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em"><li class="gmail-" style="box-sizing:border-box"><span style="box-sizing:border-box">Intros and Reintros</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Identiverse recap</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Discuss </span><a href="https://github.com/openid/sse/issues/14" target="_blank" rel="noopener" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none"><span style="box-sizing:border-box">stream ID in delivery endpoints</span></a></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Required fields in CAEP events (Okta feedback)</span></li></ul><h2 class="gmail-part" id="gmail-Attendees" style="box-sizing:border-box;border-bottom:1px solid rgb(238,238,238);font-family:inherit;line-height:1.25;color:inherit;margin-top:24px;margin-bottom:16px;padding-bottom:0.3em"><a class="gmail-anchor gmail-hidden-xs" href="https://hackmd.io/qbrLUwMORES9yEhaVLypOA?view#Attendees" title="Attendees" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1"><span class="gmail-octicon gmail-octicon-link" style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">Attendees</span></h2><ul class="gmail-part" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em"><li class="gmail-" style="box-sizing:border-box"><span style="box-sizing:border-box">Atul Tulshibagwale (SGNL)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Tim Cappalli (Microsoft)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Shayne Miel (Cisco)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Jason Garbis (AppGate)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Steve Venema (ForgeRock)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Edmund Jay ()</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Martin Gallo (SecureAuth)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Tom Sato (VeriClouds)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Frank Taylor (VMWare)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Gail Hodges (OpenID Foundation)</span></li></ul><h2 class="gmail-part" id="gmail-Notes" style="box-sizing:border-box;border-bottom:1px solid rgb(238,238,238);font-family:inherit;line-height:1.25;color:inherit;margin-top:24px;margin-bottom:16px;padding-bottom:0.3em"><a class="gmail-anchor gmail-hidden-xs" href="https://hackmd.io/qbrLUwMORES9yEhaVLypOA?view#Notes" title="Notes" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1"><span class="gmail-octicon gmail-octicon-link" style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">Notes</span></h2><h3 class="gmail-part" id="gmail-Identiverse-Recap" style="box-sizing:border-box;font-family:inherit;line-height:1.25;color:inherit;margin-top:24px;margin-bottom:16px;font-size:1.25em"><a class="gmail-anchor gmail-hidden-xs" href="https://hackmd.io/qbrLUwMORES9yEhaVLypOA?view#Identiverse-Recap" title="Identiverse-Recap" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1"><span class="gmail-octicon gmail-octicon-link" style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">Identiverse Recap</span></h3><ul class="gmail-part gmail-in-view" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em"><li class="gmail-" style="box-sizing:border-box"><p style="box-sizing:border-box;margin:16px 0px"><span style="box-sizing:border-box">Panel feedback</span></p><ul style="box-sizing:border-box;margin-top:0px;margin-bottom:0px;padding-left:2em"><li class="gmail-" style="box-sizing:border-box"><span style="box-sizing:border-box">Microsoft: > 25 million events per day</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Google: millions of events sent to 100s of thousands of apps</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Panel video </span><a href="https://www.youtube.com/watch?v=6Z6PMNNIlDY" target="_blank" rel="noopener" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none"><span style="box-sizing:border-box">link</span></a></li></ul></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><p style="box-sizing:border-box;margin:16px 0px"><span style="box-sizing:border-box">Booth feedback (Tom Sato)</span></p><ul style="box-sizing:border-box;margin-top:0px;margin-bottom:0px;padding-left:2em"><li class="gmail-" style="box-sizing:border-box"><span style="box-sizing:border-box">Panel was extremely well attended</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Many important people from the IDaaS community</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Okta, ForgeRock, Ping, etc.</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Attended by > 100 / 150 people</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Workday came to the OpenID SSE booth after the panel</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Okta team also visited the booth</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Booth was represented by Tom Sato, Nancy Cam-Winget (Cisco) and Nick Wooler (Cisco)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Questions about multi-tenanted ecosystems and how events could be shared across tenants in such an environment</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Open issues with the credential compromised event</span></li></ul></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><p style="box-sizing:border-box;margin:16px 0px"><span style="box-sizing:border-box">Stream ID issue:</span></p><ul style="box-sizing:border-box;margin-top:0px;margin-bottom:0px;padding-left:2em"><li class="gmail-" style="box-sizing:border-box"><span style="box-sizing:border-box">When the Transmitter is sending the event either using Push or Poll, we need a way for the Transmitter to specify the stream ID</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">In case of Push, the Receiver could specify it as a part of the Receiver URL - do we need to do something in the spec for that</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">The Transmitter’s Polling endpoint could have a Stream ID. We could be more prescriptive about it</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">We have to be normative about this</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Do we provide a parameter name or path component</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">One possibility: For Push: Spec should specify that the Receiver “SHOULD” define unique URLs for each Stream. For Poll, the spec should recommmend how a Transmitter constructs the URL with the stream ID as a path component</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">We should modify the proposal such that the stream ID is always in the path and not in the payload</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Is it easier in anyway to parse a payload compoent / query parameter / path component?</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Would that only be on a Push?</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Would the metadata that describes all this have a placeholder for the stream ID in the paths? Microsoft does something similar with tenant ID in Azure AD.</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Tim to review the OpenID Connect spec and figure out if anything relevant can be used by us</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">We should have one metadata for the Transmitter, not one metadata per stream</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Shayne to update the PR to include path components instead of stream IDs in payloads</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Should we have a path component to indicate the resource type? i.e. “/streams/</span><stream-id><span style="box-sizing:border-box">”</span></li></ul></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><p style="box-sizing:border-box;margin:16px 0px"><span style="box-sizing:border-box">Interop testing</span></p><ul style="box-sizing:border-box;margin-top:0px;margin-bottom:0px;padding-left:2em"><li class="gmail-" style="box-sizing:border-box"><span style="box-sizing:border-box">OpenID will support building an implementation that can be used to test against</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Tom spoke to Authlete and spoke to Mark Haine’s company, which has done work on something similar for FAPI. They have experience on how to do this.</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">It could cost between $10k - $20k to have such an implementation (based on experience of building something similar for FAPI)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Do they also do compliance testing? These two companies can do it</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">The goal is that whenever this gets built, we hand it over to the OpenID conformance testing team</span></li></ul></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><p style="box-sizing:border-box;margin:16px 0px"><span style="box-sizing:border-box">Optional fields in CAEP events</span></p><ul style="box-sizing:border-box;margin-top:0px;margin-bottom:0px;padding-left:2em"><li class="gmail-" style="box-sizing:border-box"><span style="box-sizing:border-box">E.g. The “assurance level” field in the “assurance level change” event</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Optionality makes implementations complex</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Tim and Atul to setup time with Okta (Karl) to understand their feedback and bring it back to the WG</span></li></ul></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><p style="box-sizing:border-box;margin:16px 0px"><span style="box-sizing:border-box">Feedback from IDaaS</span><br style="box-sizing:border-box"><span style="box-sizing:border-box">Issued raised</span></p><ol style="box-sizing:border-box;margin-top:0px;margin-bottom:0px;padding-left:2em"><li class="gmail-" style="box-sizing:border-box"><span style="box-sizing:border-box">Re: compromised-credentials event - Sending PW across IDP is probamatic. Verification Token can help</span><ul style="box-sizing:border-box;margin-top:0px;margin-bottom:0px;padding-left:2em"><li class="gmail-" style="box-sizing:border-box"><span style="box-sizing:border-box">Sending the hash of the password would require the Transmitter and Receiver to agree on the hashing algorithm</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">What are the use cases? Are there two? One where there is an independent service, but is there a second case where the IdP is indicating that they know authoritatively that the credential is compromised.</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Can we add the “password verifier” in the event, such that a Receiver can compare this value to their stored value and determine if the credential compromise event applies to them</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">What is the use case of the identity provider notifying an SP of “credentials compromise”?</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Atul to write this up and send it to the WG email for discussion</span></li></ul></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">For large IDP, Polling million use identifier is not possible.Sendto mechanism could help but how?</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">IDaaS needs a trasmitter hub structure within their ecosystem.</span></li></ol></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><p style="box-sizing:border-box;margin:16px 0px"><span style="box-sizing:border-box">Proposed but not discussed:</span></p><ul style="box-sizing:border-box;margin-top:0px;margin-bottom:0px;padding-left:2em"><li class="gmail-" style="box-sizing:border-box"><span style="box-sizing:border-box">Outreach</span><ol style="box-sizing:border-box;margin-top:0px;margin-bottom:0px;padding-left:2em"><li class="gmail-" style="box-sizing:border-box"><span style="box-sizing:border-box">Major webapps</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">CISA</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Cybersecurity SETs</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Specail WG Session for new comers</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Webinar with iuse cases</span></li></ol></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Testbed, reference implementation, testdata, conformance testing</span><ol style="box-sizing:border-box;margin-top:0px;margin-bottom:0px;padding-left:2em"><li class="gmail-" style="box-sizing:border-box"><span style="box-sizing:border-box">We geenrated so much interest, many of new comers will need these tools. Cost? Funds?</span></li></ol></li></ul></li></ul><h2 class="gmail-part gmail-in-view" id="gmail-Action-Items" style="box-sizing:border-box;border-bottom:1px solid rgb(238,238,238);font-family:inherit;line-height:1.25;color:inherit;margin-top:24px;margin-bottom:16px;padding-bottom:0.3em"><a class="gmail-anchor gmail-hidden-xs" href="https://hackmd.io/qbrLUwMORES9yEhaVLypOA?view#Action-Items" title="Action-Items" style="box-sizing:border-box;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1;font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:24px;letter-spacing:0.35px"><span class="gmail-octicon gmail-octicon-link" style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box;color:rgb(51,51,51);font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:24px;letter-spacing:0.35px"><br class="gmail-Apple-interchange-newline"></span></h2></div></div>