<div dir="ltr"><div dir="ltr">Hi all, here are the notes from today's call. They are also stored <a href="https://hackmd.io/@oidf-wg-sse/wg-meeting-20250506">here</a>.<div><br></div><div>Atul</div><div><br></div></div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><span><div dir="ltr" style="margin-left:0pt" align="left"><table style="border:none;border-collapse:collapse"><colgroup><col width="165"><col width="160"></colgroup><tbody><tr style="height:74.5pt"><td style="vertical-align:middle;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.44;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline"><span style="border:none;display:inline-block;overflow:hidden;width:137px;height:68px"><img src="https://lh7-us.googleusercontent.com/OubMXEaSzW6cz-Rt9RyUGsuX2z_G2pbaWOSLNAI_1YuZEk9lVaehxLoZgJt6AbxshlaXTZ4HHvQjpxPRVTWVxlwCl-fPKhGsbSTcgVVvejMX1rS_DaeeX4yOVQyvp2y3cFkC6XMBihqiTrDY3qBYwq8" width="137" height="68" style="margin-left:0px;margin-top:0px"></span></span></p></td><td style="vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Poppins,sans-serif;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline"> Atul Tulshibagwale</span></p><p dir="ltr" style="line-height:1.5;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Poppins,sans-serif;color:rgb(102,102,102);background-color:transparent;vertical-align:baseline"> CTO</span></p><p dir="ltr" style="line-height:1.44;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(136,136,136);background-color:transparent;vertical-align:baseline"> </span><a href="https://www.linkedin.com/in/tulshi/" target="_blank"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(17,85,204);background-color:transparent;vertical-align:baseline"><span style="border:none;display:inline-block;overflow:hidden;width:24px;height:24px"><img src="https://lh7-us.googleusercontent.com/nf4RO594hvFNyujzHdKSn1RCJcOIC1-Mk2-_S2GLH4LUi6Prxj4bL0tyguJ-6XH50k_fHPq6nynNBdkJwAzgGdYlImXDDKv07yQuj5PcskVaBqf9vL1Z2esDwZsb5Z9J4tvDcPiiZdQSuyzywRbH3Fs" width="24" height="24" style="margin-left:0px;margin-top:0px"></span></span></a><a href="mailto:atul@sgnl.ai" target="_blank"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(17,85,204);background-color:transparent;vertical-align:baseline"><span style="border:none;display:inline-block;overflow:hidden;width:24px;height:24px"><img src="https://lh7-us.googleusercontent.com/jy9xWqMUZyDKsa5W_-BxVILzsnbgKHSkJVzdCeCWVVSvhJbGal-I_Ja-qTTnA1SpYE65RrEcWMMLNPfbrp9HXjBOKdeXNIVuhOBg-vZe-Ed8e0rCV8BMjih-COWlyljD_Hfqg2SzCuqKASIsPk1O6_w" width="24" height="24" style="margin-left:0px;margin-top:0px"></span></span></a></p></td></tr></tbody></table><br></div><div dir="ltr" style="margin-left:0pt" align="left">--</div><div dir="ltr" style="margin-left:0pt" align="left"><h1 class="gmail-part" id="gmail-WG-Meeting-2025-05-06">WG Meeting: 2025-05-06</h1><h2 class="gmail-part" id="gmail-Agenda"><a class="gmail-anchor gmail-hidden-xs" href="#Agenda" title="Agenda"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Agenda</h2><ul class="gmail-part">
<li class="gmail-">Using the term "wildcard" in complex subject examples. <a href="https://github.com/openid/sharedsignals/pull/251" target="_blank" rel="noopener">PR</a>, <a href="https://github.com/openid/sharedsignals/issues/197" target="_blank" rel="noopener">Issue</a></li>
<li class="gmail-"><a href="https://datatracker.ietf.org/doc/draft-tulshibagwale-saag-pushpull-delivery/" target="_blank" rel="noopener"><span class="gmail-ui-comment-inline-span">Pushpull draft</span></a> review in IETF Saag.</li>
<li class="gmail-">Issuing the "Working Group Last Call"</li>
<li class="gmail-">Push delivery authorization</li>
<li class="gmail-">Authorization for "well-known" URL</li>
</ul><h2 class="gmail-part" id="gmail-Attendees"><a class="gmail-anchor gmail-hidden-xs" href="#Attendees" title="Attendees"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Attendees</h2><ul class="gmail-part">
<li class="gmail-">Apoorva Deshpande (Okta)</li>
<li class="gmail-">Shayne Miel (Cisco)</li>
<li class="gmail-">Atul Tulshibagwale (SGNL)</li>
<li class="gmail-">Tushar Raibhandare (Google)</li>
<li class="gmail-">Martin Gallo (independent)</li>
<li class="gmail-">Mike Kiser (SailPoint)</li>
<li class="gmail-">Yair Sarig (Omnissa)</li>
<li class="gmail-">Jen Schreiber (Workday)</li>
<li class="gmail-">Brian Soby (AppOmni)</li>
<li class="gmail-">Thomas Darimont (OIDF)</li>
<li class="gmail-">George Fletcher (Practical Identity LLC)</li>
<li class="gmail-">Stan Bounev(VeriClouds)</li>
<li class="gmail-">Sean O'Dell (Disney)</li>
</ul><h2 class="gmail-part" id="gmail-Notes"><a class="gmail-anchor gmail-hidden-xs" href="#Notes" title="Notes"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Notes</h2><h3 class="gmail-part" id="gmail-Wildcards"><a class="gmail-anchor gmail-hidden-xs" href="#Wildcards" title="Wildcards"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Wildcards</h3><ul class="gmail-part gmail-in-view">
<li class="gmail-">(Apoorva) Supportive of the change, but the word "wildcard" might be confusing, because it doesn't follow the typical wildcard characters (e.g. "*")</li>
<li class="gmail-">(Shayne) It looks like Sean resolved them, but I'll reopen them.</li>
<li class="gmail-">(Shayne) How do you feel about leaving the word wildcard in at the top (where we describe the behavior)</li>
<li class="gmail-">(Shayne) People might be searching for the word wildcard, so we should keep the word somewhere. E.g. keep it in the description, but take it out of the individual examples</li>
<li class="gmail-">(Apoorva) We're specifying examples for contentious claims?</li>
<li class="gmail-">(Shayne) It's not contentious because it is not ambiguous, it is specified clearly in the spec, but we're clarifying the usage in examples</li>
<li class="gmail-">(Apoorva) It is contentious if the claims conflict with each other</li>
<li class="gmail-">(Atul) I don't believe there is a conflict anywhere</li>
<li class="gmail-">(Apoorva)</li>
<li class="gmail-">(Mike) I've been asked "How do I specify a group of identities". I agree that the world "wildcard" is confusing. The way the spec works, if you don't specify something it is like a wildcard (i.e. it matches everything).</li>
<li class="gmail-">(Yair) I understand Apoorva's point, because I also was looking for the wildcard characters. This is more like partial specification of the subject.</li>
<li class="gmail-">(Yair) I can see it go both ways - it might be called wildcard, or not.</li>
<li class="gmail-">(Apoorva) I agree that the description sentence on line 318 can say "wildcard" as it does right now, but remove it from everywhere else.</li>
</ul><h3 class="gmail-part gmail-in-view" id="gmail-Pushpull-draft"><a class="gmail-anchor gmail-hidden-xs" href="#Pushpull-draft" title="Pushpull-draft"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Pushpull draft</h3><h3 class="gmail-part gmail-in-view" id="gmail-Issue-WGLC"><a class="gmail-anchor gmail-hidden-xs" href="#Issue-WGLC" title="Issue-WGLC"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Issue WGLC</h3><ul class="gmail-part gmail-in-view">
<li class="gmail-">(Tushar) The <a href="https://github.com/openid/sharedsignals/issues/249" target="_blank" rel="noopener">flow control issue</a> could be addressed before v1Final</li>
</ul><h3 class="gmail-part gmail-in-view" id="gmail-Flow-control-issue"><a class="gmail-anchor gmail-hidden-xs" href="#Flow-control-issue" title="Flow-control-issue"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Flow control issue</h3><ul class="gmail-part gmail-in-view">
<li class="gmail-">(Apoorva) Is it a blocker?</li>
<li class="gmail-">(Tushar) Implementations can define their own behavior, so it doesn't block.</li>
<li class="gmail-">(Yair) We have a "stream disabled", so there is no real requirement for pause. So if the events are paused, then you don't know how many events the transmitter is going to retain. So without defining this behavior we are making the behavior of "pause" unreliable</li>
<li class="gmail-">(Sean) Use-case for pause: You are going through a massive HR changes, and you don't want to flood the streams with events</li>
<li class="gmail-">(Sean) This is also important for reconciliation, how many events do you keep in the stream when it is paused</li>
<li class="gmail-">(Shayne) I don't think we want to specify the number, but the proposal is that there should be a way to communicate what the limit is.</li>
<li class="gmail-">(Yair) There are two conditions: Receiver not keeping up, or the stream is paused.</li>
<li class="gmail-">(Tushar) Yes, there are two sides:
<ul>
<li class="gmail-">I'm a receiver, and I can only handle so many events</li>
<li class="gmail-">I'm a receiver and I'd like to tell the receiver in terms of time or amount of data / number of events that I'll be holding</li>
</ul>
</li>
<li class="gmail-">(Apoorva) This also has SLA / SLO implications, and may not be easy to implement</li>
<li class="gmail-">(Brian) In terms of buffer, people can have total size, which may not be useful to the receiver, so practically it might not be useful</li>
<li class="gmail-">(Tushar) What if a Transmitter has higher-lower priority events?</li>
<li class="gmail-">(Tushar) So the configuration could be per-stream to address the priority issue</li>
<li class="gmail-">(Yair) This is what happened in draft-2 and we are still kicking the can down the road.</li>
<li class="gmail-"></li>
</ul><h3 class="gmail-part gmail-in-view" id="gmail-Push-delivery-authorization"><a class="gmail-anchor gmail-hidden-xs" href="#Push-delivery-authorization" title="Push-delivery-authorization"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Push delivery authorization</h3><ul class="gmail-part gmail-in-view">
<li class="gmail-">(Mike) The spec says that authorization is optional for push delivery. Is everyone OK with that?</li>
<li class="gmail-">(Yair)</li>
<li class="gmail-">(Shayne) One reason to require an authorization header is to make it easier to defend against DoS attacks</li>
<li class="gmail-">(Shayne) Security policy may dictate all endpoints need authorization</li>
</ul><h3 class="gmail-part gmail-in-view" id="gmail-Can-the-well-known-URL-be-protected-or-does-it-need-to-be-unprotected"><a class="gmail-anchor gmail-hidden-xs" href="#Can-the-well-known-URL-be-protected-or-does-it-need-to-be-unprotected" title="Can-the-well-known-URL-be-protected-or-does-it-need-to-be-unprotected"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Can the "well known" URL be protected or does it need to be unprotected</h3><ul class="gmail-part gmail-in-view">
<li class="gmail-">(Mike) People are asking about this</li>
<li class="gmail-">(Yair) There is no requirement to be unprotected. (We discussed this earlier)</li>
<li class="gmail-">(Yair) The well-known spec also doesn't require it to be unprotected.</li>
<li class="gmail-">(Apoorva) If it is protected then there has to be a handshake even before the metadata is obtained</li>
<li class="gmail-">(Atul) The SGNL implementation has the well-known url protected</li>
</ul><h2 class="gmail-part gmail-in-view" id="gmail-Action-Items"><a class="gmail-anchor gmail-hidden-xs" href="#Action-Items" title="Action-Items"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Action Items</h2></div></span></div></div></div>