<div dir="ltr">Hi all,<br><div>Here are the notes from today's meeting. They are also stored <a href="https://hackmd.io/@oidf-wg-sse/wg-meeting-20231031">here</a>:</div><div><br></div><div>Atul</div><div><br></div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><span><div dir="ltr" style="margin-left:0pt" align="left"><table style="border:none;border-collapse:collapse"><colgroup><col width="142"><col width="482"></colgroup><tbody><tr style="height:0pt"><td style="vertical-align:middle;padding:-9.432pt -9.432pt -9.432pt -9.432pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><a href="https://sgnl.ai" target="_blank"><span style="font-size:11pt;font-family:"Work Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><span style="border:none;display:inline-block;overflow:hidden;width:137px;height:68px"><img src="https://lh3.googleusercontent.com/aO7jB_JqOxA0tVDXsAotNQnsfEkxEORgtkVnVFrmkR7O8j3B4lbbRsGFuprzQhfDmri2YH8_dnjPiZnGMZxIcT9xRcdY6rYm-xGophLkgvl_v8istAefyh4qkSVINQtPfcmq5BZiKbfFHmursSUHyll1jEWBTd--nw26MIMKd86Br32rGZkvJwnEED_nzQ" width="137" height="68" style="margin-left:0px;margin-top:0px"></span></span></a></p></td><td style="vertical-align:top;padding:5pt 5pt 5pt 5pt;overflow:hidden"><p dir="ltr" style="line-height:1.44;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Work Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Atul Tulshibagwale</span></p><p dir="ltr" style="line-height:1.44;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Work Sans",sans-serif;color:rgb(102,102,102);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">CTO </span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><font size="1"><span style="font-family:"Work Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><span style="border:none;display:inline-block;overflow:hidden;width:20px;height:27px"><a href="https://linkedin.com/in/tulshi" target="_blank"><img src="https://lh6.googleusercontent.com/ezm4lDcLtajK4RMqqHALoRgXyaC4HRlw0wWsR2Jvms0V9Wrxr3x5G66zsUrYpRXyeJ3RwLS3GdKUwO0Ui5mXPodSkUx8Xsarf_vj6WlJ05Y1qJoMFTlCZnEgtHvlJ7_7Dr7zWNjkvf3nMW9u1P5ye76SeHgz2QqGQ_rm-sjqYOS-vH1UZL7Yiewi4UO3Qw" width="20" height="27" style="margin-left:0px;margin-top:0px"></a> </span></span><span style="font-family:"Work Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><span style="border:none;display:inline-block;overflow:hidden;width:20px;height:27px"><a href="https://twitter.com/zirotrust" target="_blank"><img src="https://lh6.googleusercontent.com/HAnAvykj318aQf5zTUZkjIJDtwelDecFi5d-idBrpUDBj7aKTdup5Mfia6UIbXTAP46zg7gigNnroQ9he3j81Sf9qCRRSS-w_nZ3oSXJnYLbPlCXgt6IqoifgHXETuJSRvFIZRIdn_aAbtp8ilKFyIVuTXjVe6cNAfXc5KZNwJeYinwfZZxVvHHaR5uIdQ" width="20" height="27" style="margin-left:0px;margin-top:0px"></a> </span></span><a href="mailto:atul@sgnl.ai" target="_blank"><img src="https://lh3.googleusercontent.com/63PpVJLMybZyfD61JVu0TVH_KkP_IhneeBpDNvbd1KeSFJn6KZzWCgp4hFbrTrIxfksYyM-_wOjNKbjEhSQ2khRXVI3XKcwABLNLI_bFjkN0_NgVoijs_nIRcVJKeQm0s0MRdtkUkCOp5Omyv1faqcNiQxGEUyAvmE9HkeeQCeHa-LxleK0oHSAyQrDY6g" width="21" height="21" style="background-color:transparent;color:rgb(0,0,0);font-family:Arial;white-space:pre-wrap;margin-left:0px;margin-top:0px"></a></font></p></td></tr></tbody></table><br></div><div dir="ltr" style="margin-left:0pt" align="left"><h1 class="gmail-part" id="gmail-WG-Meeting-2023-10-31" style="box-sizing:border-box;margin:0px 0px 16px;font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";line-height:1.25;color:rgb(51,51,51);padding-bottom:0.3em;border-bottom:1px solid rgb(238,238,238);letter-spacing:0.35px"><span style="box-sizing:border-box">WG Meeting: 2023-10-31</span></h1><h2 class="gmail-part" id="gmail-Agenda" style="box-sizing:border-box;font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;padding-bottom:0.3em;border-bottom:1px solid rgb(238,238,238);letter-spacing:0.35px"><a class="gmail-anchor gmail-hidden-xs" href="https://hackmd.io/uWnsDRqiSlW8k0rg2F47GA?view#Agenda" title="Agenda" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1"><span class="gmail-octicon gmail-octicon-link" style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">Agenda</span></h2><ul class="gmail-part" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51,51,51);font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px"><li class="gmail-" style="box-sizing:border-box"><span style="box-sizing:border-box">Joseph Heenan to lead discussion on certification</span></li></ul><h2 class="gmail-part" id="gmail-Attendees" style="box-sizing:border-box;font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;padding-bottom:0.3em;border-bottom:1px solid rgb(238,238,238);letter-spacing:0.35px"><a class="gmail-anchor gmail-hidden-xs" href="https://hackmd.io/uWnsDRqiSlW8k0rg2F47GA?view#Attendees" title="Attendees" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1"><span class="gmail-octicon gmail-octicon-link" style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">Attendees</span></h2><ul class="gmail-part" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51,51,51);font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px"><li class="gmail-" style="box-sizing:border-box"><span style="box-sizing:border-box">Atul Tulshibagwale (SGNL)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Steve Venema (ForgeRock)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Phil Hunt (IndependentID)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Joseph Heenan (Authlete)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Shayne Miel (Cisco)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Tim Cappalli (Microsoft)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Mike Kiser (SailPoint)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Sean O’dell (Disney)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Eric Karlinsky (Okta)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Apoorva Deshpande (Okta)</span></li></ul><h2 class="gmail-part" id="gmail-Notes" style="box-sizing:border-box;font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;padding-bottom:0.3em;border-bottom:1px solid rgb(238,238,238);letter-spacing:0.35px"><a class="gmail-anchor gmail-hidden-xs" href="https://hackmd.io/uWnsDRqiSlW8k0rg2F47GA?view#Notes" title="Notes" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1"><span class="gmail-octicon gmail-octicon-link" style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">Notes</span></h2><h3 class="gmail-part" id="gmail-Certification--Interop" style="box-sizing:border-box;font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;font-size:1.25em;letter-spacing:0.35px"><a class="gmail-anchor gmail-hidden-xs" href="https://hackmd.io/uWnsDRqiSlW8k0rg2F47GA?view#Certification--Interop" title="Certification--Interop" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1"><span class="gmail-octicon gmail-octicon-link" style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">Certification / Interop</span></h3><ul class="gmail-part gmail-in-view" style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding-left:2em;color:rgb(51,51,51);font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;letter-spacing:0.35px"><li class="gmail-" style="box-sizing:border-box"><span style="box-sizing:border-box">Joseph also works for OIDF - leads the certification program</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">OIDC has been running the certification program for over 8 years</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">FAPI also has a certification program. Various ecosystems, e.g. UK, Brazil, Australia, etc. have mandated certification. Expect US and Canada to follow</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">All tests are a part of the OpenID Test Suite in a Java framework (was Python earlier)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">The framework provides isolation,</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">The expectation is that all tests must pass for certification</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Is the expectation in SSWG that we should require production / development versions</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">FAPI requires production level certification</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">Q to WG: What do people need to certify? Is there a minimum set of events to demonstrate, etc.</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Sean) Are we testing the SETs or the SSF spec? We have unit / implementation tests at Disney. We test how the system responds to receiving an event</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Steve) Is there traceability in the tests? How do you tie certification to the actual spec?</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Joseph) We link back specific tests to the specific parts of the spec</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Joseph) OIDC and FAPI have taken different approaches to certification. OIDC has defined different profiles, each of which point back to the spec</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Steve) We should consider certification when developing the spec in future. E.g. these three fields must be present.</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Steve) It’ll be good to review the spec from a testability perspective, so that the spec becomes more concise.</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Shayne) We’ve left out a couple of things from the spec - e.g. how do Tx and Rx trust each other. How would we deal with that in a test suite?</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Joseph) We could specify it in the certification, or we treat it as being out of scope and provide it offline</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Tim) Like in OIDC, we could keep some things out of scope. People could adopt the pattern used in the cert program, but they don’t have to in order to be certified</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Atul) Should we consider a basic interoperability excercise before getting into certification?</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Joseph) That could help identify issues in the spec and common pitfalls of implementations so that we can build the certification requirements along the way</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Atul) Can we limit the interop to specific use cases?</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Joseph) OIDC may have gone through such an exercise in the past. We should check with Mike Jones</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Joseph) UK open banking had a big interop exercise when the ecosystem went live and everyone found out issues</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Phil) There are 5 specs in play. SSF is different from OIDC. The specs that we need to have interop is around RFC 8935/36 (Push, Poll). From a certification perspective these are more important. Then we need to figure out the administration with SSF and then CAEP / RISC specs. The action that the individual endpoint takes when they receive an event should be out of scope</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Phil) What are the levels of certification from a security perspective? E.g. 8935/36 have acknowledgement semantics that indicate specific actions</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Joseph) Any definition of a certification rests with the WG and not OIDF</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Joseph) Ask questions on the Slack channel. OIDF is going through a budget exercise right now</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Phil) When we certify OIDF specs they are building on other specs. SSF is unique in that it defines the administration of specs that belong in the IETF. The most important things to certify are not the OIDF specs but the RFCs (push and poll). First do push and poll work as expected, then can we administer the streams, and then the individual events. Can I manually setup a connection with e.g. Disney and send and receive events</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Tim) To me we need to do this in the context of OIDF. So we should not worry about certifying the IETF specs. We should certifying its use in the SSF / CAEP / RISC context</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Steve) Agree with Phil (mostly). It’s too early to think about certification because we’re not stable on the specs. Like the idea of starting with some use cases. That will help us get concrete about what the points of friction are. Going through the specs from a certification point of view is appropriate at this time</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Atul) We need to identify what is required by participants to support the minimum required to solve a use-case</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Tim) This sounds like a part of a certificaiton program</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Phil) I question whether there is any value to certifying what is in the token without certifying the push / poll part.</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Tim) If you are certified for “SSF-Core” (made up name), and you support this deployment profile, then you are interoperable</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Tim) certification and interop is not divergent. A hackathon can find kinks</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Steve) Both interop testing and certification are ways to discover limitations of the spec. I agree that interop testing may be the first thing to do</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Sean) Agree with Steve. This is very important. I don’t want an Azure API / Graph QL token. You need vendor interoperability testing first, which could be considered an informal certification. The hardest sell internally at Disney was whether this is vaporware or real. Vendor interop is huge to make this real</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Shayne) Circling back to the earlier question: Say a Transmitter wants to use OAuth and another Receiver wants to use Basic authenticaiton, or some weird authn. How do we support the different things</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Sean) We had to use different implementations of authentication for various vendors</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Atul) Can we base the descision based on how confusing / clear it is to end-customers?</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Sean) We must specify basics like you cannot do anonymous</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Phil) How do you bootstrap security is going to become an interop pain-points. We may need a secondary profile to define this</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Tim) One high-level decision point: Does this need to be 100% discoverability? The answer is probably no. We had this issue in FastFed. We need to agree upon some basic parameters. We should codify it.</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Eric) What is the impetus to make it a 100% interoperable? I don’t know what it impedes if we don’t specify everything</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Tim) Is it so bad that if you do something proprietary? Probably not, but you need to support some minimum set of common authorization, e.g. OAuth for Authorization</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Sean) That’s not as prevalent as you think in businesses</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Tim) Do we expect internal components to get certified? Probably not.</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Sean) I see companies being Transmitters more than vendors, so many more participants may be interested in certification</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Tim) It’s back to the use-cases.</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Steve) Use case - you have two companies with deployments. Both companies want to exchange events. The certification lets companies know what to buy.</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Eric) How does this relate to whether we need to define how authorization works?</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Phil)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Sean) I don’t see the difference between this and a SAML IdP / SP configuration</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Eric) OAuth is a high bar in itself to implement. Exchanging a shared secret may be faster (e.g. an API key)</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Sean) Having multiple authentication mechanisms made things complex</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Eric) There could be a higher bar for certification</span></li><li class="gmail-" style="box-sizing:border-box;padding-top:0.25em"><span style="box-sizing:border-box">(Shayne) We said that certification should be on production implementations</span></li></ul><h2 class="gmail-part gmail-in-view" id="gmail-Action-Items" style="box-sizing:border-box;font-family:-apple-system,"system-ui","Segoe UI","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";line-height:1.25;color:rgb(51,51,51);margin-top:24px;margin-bottom:16px;padding-bottom:0.3em;border-bottom:1px solid rgb(238,238,238);letter-spacing:0.35px"><a class="gmail-anchor gmail-hidden-xs" href="https://hackmd.io/uWnsDRqiSlW8k0rg2F47GA?view#Action-Items" title="Action-Items" style="box-sizing:border-box;background-color:transparent;color:rgb(51,122,183);text-decoration-line:none;float:left;padding-right:4px;line-height:1"><span class="gmail-octicon gmail-octicon-link" style="box-sizing:border-box;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-weight:normal;font-stretch:normal;font-size:16px;line-height:1;font-family:octicons;display:inline-block;color:rgb(0,0,0);vertical-align:middle"></span></a><span style="box-sizing:border-box">Action Items</span></h2></div></span></div></div></div>