<div dir="ltr">Hi all,<br><div>Here are the notes from today's meeting. They are also stored <a href="https://hackmd.io/@oidf-wg-sse/wg-meeting-20230926">here</a>.</div><div><br></div><div>Thanks to all who attended,</div><div>Atul</div><div><br></div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><span><div dir="ltr" style="margin-left:0pt" align="left"><table style="border:none;border-collapse:collapse"><colgroup><col width="142"><col width="482"></colgroup><tbody><tr style="height:0pt"><td style="vertical-align:middle;padding:-9.432pt -9.432pt -9.432pt -9.432pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><a href="https://sgnl.ai" target="_blank"><span style="font-size:11pt;font-family:"Work Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><span style="border:none;display:inline-block;overflow:hidden;width:137px;height:68px"><img src="https://lh3.googleusercontent.com/aO7jB_JqOxA0tVDXsAotNQnsfEkxEORgtkVnVFrmkR7O8j3B4lbbRsGFuprzQhfDmri2YH8_dnjPiZnGMZxIcT9xRcdY6rYm-xGophLkgvl_v8istAefyh4qkSVINQtPfcmq5BZiKbfFHmursSUHyll1jEWBTd--nw26MIMKd86Br32rGZkvJwnEED_nzQ" width="137" height="68" style="margin-left:0px;margin-top:0px"></span></span></a></p></td><td style="vertical-align:top;padding:5pt 5pt 5pt 5pt;overflow:hidden"><p dir="ltr" style="line-height:1.44;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Work Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Atul Tulshibagwale</span></p><p dir="ltr" style="line-height:1.44;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Work Sans",sans-serif;color:rgb(102,102,102);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">CTO </span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><font size="1"><span style="font-family:"Work Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><span style="border:none;display:inline-block;overflow:hidden;width:20px;height:27px"><a href="https://linkedin.com/in/tulshi" target="_blank"><img src="https://lh6.googleusercontent.com/ezm4lDcLtajK4RMqqHALoRgXyaC4HRlw0wWsR2Jvms0V9Wrxr3x5G66zsUrYpRXyeJ3RwLS3GdKUwO0Ui5mXPodSkUx8Xsarf_vj6WlJ05Y1qJoMFTlCZnEgtHvlJ7_7Dr7zWNjkvf3nMW9u1P5ye76SeHgz2QqGQ_rm-sjqYOS-vH1UZL7Yiewi4UO3Qw" width="20" height="27" style="margin-left:0px;margin-top:0px"></a> </span></span><span style="font-family:"Work Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><span style="border:none;display:inline-block;overflow:hidden;width:20px;height:27px"><a href="https://twitter.com/zirotrust" target="_blank"><img src="https://lh6.googleusercontent.com/HAnAvykj318aQf5zTUZkjIJDtwelDecFi5d-idBrpUDBj7aKTdup5Mfia6UIbXTAP46zg7gigNnroQ9he3j81Sf9qCRRSS-w_nZ3oSXJnYLbPlCXgt6IqoifgHXETuJSRvFIZRIdn_aAbtp8ilKFyIVuTXjVe6cNAfXc5KZNwJeYinwfZZxVvHHaR5uIdQ" width="20" height="27" style="margin-left:0px;margin-top:0px"></a> </span></span><a href="mailto:atul@sgnl.ai" target="_blank"><img src="https://lh3.googleusercontent.com/63PpVJLMybZyfD61JVu0TVH_KkP_IhneeBpDNvbd1KeSFJn6KZzWCgp4hFbrTrIxfksYyM-_wOjNKbjEhSQ2khRXVI3XKcwABLNLI_bFjkN0_NgVoijs_nIRcVJKeQm0s0MRdtkUkCOp5Omyv1faqcNiQxGEUyAvmE9HkeeQCeHa-LxleK0oHSAyQrDY6g" width="21" height="21" style="background-color:transparent;color:rgb(0,0,0);font-family:Arial;white-space:pre-wrap;margin-left:0px;margin-top:0px"></a></font></p></td></tr></tbody></table><br></div><div dir="ltr" style="margin-left:0pt" align="left"><h1 class="gmail-part gmail-in-view" id="gmail-WG-Meeting-2023-09-26" style="box-sizing:border-box;margin:0px 0px 16px;font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";line-height:1.25;color:rgb(51,51,51);padding-bottom:0.3em;border-bottom:1px solid rgb(238,238,238);letter-spacing:0.35px"><span style="box-sizing:border-box">WG Meeting: 2023-09-26</span></h1><h2 class="gmail-part gmail-in-view" id="gmail-Agenda" style="box-sizing:border-box;font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;padding-bottom:0.3em;border-bottom:1px solid rgb(238,238,238);letter-spacing:0.35px"><a class="gmail-anchor gmail-hidden-xs" href="https://hackmd.io/tXJMrxV4TcKKY7XByg2w8Q?view#Agenda" title="Agenda" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1"><span class="gmail-octicon gmail-octicon-link" style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">Agenda</span></h2><ul class="gmail-part gmail-in-view" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51,51,51);font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px"><li class="gmail-" style="box-sizing:border-box"><a href="https://github.com/openid/sharedsignals/pull/121" target="_blank" rel="noopener" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none"><span style="box-sizing:border-box">https://github.com/openid/sharedsignals/pull/121</span></a></li></ul><h2 class="gmail-part gmail-in-view" id="gmail-Attendees" style="box-sizing:border-box;font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;padding-bottom:0.3em;border-bottom:1px solid rgb(238,238,238);letter-spacing:0.35px"><a class="gmail-anchor gmail-hidden-xs" href="https://hackmd.io/tXJMrxV4TcKKY7XByg2w8Q?view#Attendees" title="Attendees" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1"><span class="gmail-octicon gmail-octicon-link" style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">Attendees</span></h2><ul class="gmail-part gmail-in-view" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51,51,51);font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px"><li class="gmail-" style="box-sizing:border-box"><span style="box-sizing:border-box">Atul Tulshibagwale (SGNL)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Apoorva Deshpande (Okta)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Tim Cappalli (Microsoft)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Shayne Miel (Cisco)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Yair Sarig (VMWare)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Victor Lu ()</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Phil Hunt (Independent Id)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Sean O’Dell (independent)</span></li></ul><h2 class="gmail-part gmail-in-view" id="gmail-Notes" style="box-sizing:border-box;font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;padding-bottom:0.3em;border-bottom:1px solid rgb(238,238,238);letter-spacing:0.35px"><a class="gmail-anchor gmail-hidden-xs" href="https://hackmd.io/tXJMrxV4TcKKY7XByg2w8Q?view#Notes" title="Notes" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1"><span class="gmail-octicon gmail-octicon-link" style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">Notes</span></h2><h3 class="gmail-part gmail-in-view" id="gmail-PR-121" style="box-sizing:border-box;font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;font-size:1.25em;letter-spacing:0.35px"><a class="gmail-anchor gmail-hidden-xs" href="https://hackmd.io/tXJMrxV4TcKKY7XByg2w8Q?view#PR-121" title="PR-121" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1"><span class="gmail-octicon gmail-octicon-link" style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><a href="https://github.com/openid/sharedsignals/pull/121" rel="noopener" target="_blank" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none"><span style="box-sizing:border-box">PR 121</span></a></h3><ul class="gmail-part gmail-in-view" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51,51,51);font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px"><li class="gmail-" style="box-sizing:border-box"><span style="box-sizing:border-box">The audience claim in a Stream’s events, the Receiver must be able to specify the audience (i.e. the value of the </span><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:13.6px;padding:0.2em 0px;background-color:rgba(0,0,0,0.04);border-radius:3px;margin:0px;color:inherit">aud</code><span style="box-sizing:border-box"> claim in the events)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Shayne) It was originally Transmitter specified because it was tied to the bearer token. Now that we are decoupling authorization from the stream identification, we can make it Receiver specified</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Yair) If the Receiver can specify the audience, then a Receiver can specify an audience for some other Receiver. If it is completely determined by the Receiver, then it opens up the possibility of abuse.</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Atul) Can we append the stream Id to the Receiver specified audience?</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Phil) Any automatic binding may create utility issues, because the actual receiver may not be the one that the Transmitter sends it to</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Phil) If in a customer config, you set up a project, I’m going to specify the audience in “*.<a href="http://example.com">example.com</a>”,…, so there should be some OOB way for the Transmitter to determine the audience for each registered client.</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Yair) Can we add another claim in the event that identifies the stream?</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Phil) I’m differentiating streams with different access tokens, each of which is bound to one stream</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Phil) So you could have a token returned in the stream configuration, which is stream-specific. When you need to renew, you can get the stream configuration again, and get a new token.</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Shayne) In the POLL model, the Transmitter must specify different endpoints for each stream.</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Sean) In our case the audience is Transmitter supplied, and the authorization token is bound to an audience.</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Apoorva) It’s not just audience, the delivery endpoint could be changed to some other stream. We are not solving anything by just talking about audience here.</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Phil) The security consideration has to be that the Tx and Rx must be able to figure out between themselves which stream each event is meant for</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Yair) Aud claim is a security consideration, so it should not be determined by the Receiver. The Transmitter can set another claim in the event to disambiguate if necessary.</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Atul) Would having a unique identifier in the POLL endpoint satisfy the requirement?</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Apoorva) There would need to be some out of band communication about what the Audience should be. We should then make it clear in the spec. We must require that the Transmitter doesn’t have the same audience for multiple receivers.</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Sean) JWT signatures help disambiguate the issuer.</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Phil) Impersonation is handled by signature. Re-using the JWT meant for someone else is still possible.</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Apoorva) There is not logical concept of a Receiver in the spec(!)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Phil) Having the audience to be Transmitter supplied restricts the spec to not allow certain use cases.</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Shayne) Security Events situation is a different use case than getting access tokens. It hard to use a fake token in access token situations. But with SETs, we’re doing other things, the threat model is fairly different. We have to consider what is the actual threat model.</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Phil) What I’m describing is that the core claims in JWT are still the same, e.g. the audience. If you are putting restrictions on the aud claim that is unlike how it is used in JWT, you should define a new claim.</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Phil) The JWT spec simply says that the value of the aud claim should be what the Receiver expects it to be.</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Atul) Need to end call. We do not have consensus yet.</span></li></ul><h2 class="gmail-part gmail-in-view" id="gmail-Action-Items" style="box-sizing:border-box;font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";line-height:1.25;color:rgb(51,51,51);margin-top:24px;padding-bottom:0.3em;border-bottom:1px solid rgb(238,238,238);letter-spacing:0.35px;margin-bottom:0px"><a class="gmail-anchor gmail-hidden-xs" href="https://hackmd.io/tXJMrxV4TcKKY7XByg2w8Q?view#Action-Items" title="Action-Items" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1"><span class="gmail-octicon gmail-octicon-link" style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">Action Items</span></h2></div></span></div></div></div>