3.1.   Question about representing assurance and other entity categories in OIDC (Nick Roy)

• http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20181217/007121.html

URL is just fine and also don't need to register new short names.

3.2.   Does anyone know of any implementations of self-issued id (Tom Jones)

• http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20181217/007122.html
• Nat has sent Tom message with some information.
• Others are welcome to contribute more information about other implementations.

3.3.   Native SSO specs (George)

• It's a way to do SSO for native apps from the same company using a backchannel mechanism.
• Basically, allows Authorization server to issue the device instance "secret" that gets put in shared key store that contains a context referenced by ID Token.
• When doing SSO for an user into another app on the same device, app sends ID Token from first app binded with shared secret.
• Can only do SSO on that device
• First app contains new scope that returns secret
• Second app sends device secret for a new access token
• George to send the draft to the list. Nat will ask the WG if there is any objection to adopt it as a new work.

4.1.   EAP (Mike)

n/a

4.2.   FAPI (Nat)

• We are starting CIBA profile for FAPI
• Asked Torsten to make a technical white paper for security issues for related protocols
• Nat made a call for adoption of it as basis for a technical report

4.3.   FastFed (Dick)

n/a

4.4.   Heart (Debbie/Eve)

n/a

4.5.   iGov (John)

• Starting the implementer's draft vote at the end of the week.
• Received some feedback from Torsten for next draft

4.6.   Modrna (Bjorn/John)

• Completed the update of the CIBA core spec.

• Announcement for the I-D will go out on Jan 14.

  • A few issues came up during the public review.

• Game plan for the new year is to complete the Modrna profile for CIBA, bring the authentication to the final, then discovery profile.
• Will discuss process for introducing changes in next call.

4.7.   RISC (Adam)

n/a

4.8.   R&E (Davide)

n/a

5.1.   IETF: OAuth WG (Mike/John)

• Implicit flow
• Rotation of refresh token after calls for a new access token.
• George asked question regarding how many AS implementations rotate Refresh tokens on every access token call
• Torsten trying to find best practice for this
• Some implementations can. Ping's is disabled by default now.
• How to detect replay from inappropriate source? Multiple servers, touching and reading same refresh token and updating from other one resulting in synchronization issue.
• Not an issue in a single application in single user's browser. Becomes issue of rotating tokens for specific types of clients.
• On unreliable networks, devices makes a refresh call, AS process requests an issues new refresh token, but client does not receive it.
• Consensus result in mailing list with text. Torsten published another draft stating it shouldn't be done unless certain conditions are met.

5.2.   IETF: Token Binding WG (John)

• Reverse proxy and TLS 1.3 negotiation.
• Nobody seems to be interested in 0-RTT.

• General prognosis of Token Binding.

  • Microsoft is not removing it from the core system.
  • Microsoft is now a chromium team so will see. Intent is that Microsoft will support it in chromium and and make it available for OS X and other chromium platforms under Edge badge.
  • Mozilla will probably support it.

• Google's cookie syncing will be harmed by Token Binding and is removed in Chrome.
• Some positive discussion with Apple as well. Their main concern is privacy. Thus, it is unlikely that 0-RTT will be allowed.

5.3.   WebAuthn (FIDO/W3C) (John)

• Web Authen is progressing in Safari. It only supports CTAP2.

5.4.   Kantara (Mike)

• n/a

5.5.   ISO (Nat/Tony)

• Next SC 27 meetings are in the beginning of April.

5.6.   ITU-T (Tony)

• n/a

6.1.   5 years anniversary of OpenID Connect (Nat)

• Feb. 26 marks the 5 year anniversary of the OIDC Core etc.
• OIDF-J plans to do an event for it in Tokyo (Feb. 25) and Fukuoka (Feb. 28)
• Any other locations celebrating it?

6.2.   RSA San Francisco (Nat)

• Board meeting:

6.3.   OAuth Security Workshop (Torsten)

• March 20 - 22. Links seem to be stale. New information needed.

6.4.   IETF (Mike/John)

• March 24 - 29.

6.5.   Others

• April 29: IIW WS.
• May 14 - 17: EIC.

7.1.   #1059: Core makes "aud" in request object optional unexpectedly (Joseph)

• Reason was to support the static request object used by devices with limited resources so they can be used by multiple RPs.
• Issue arised from OpenBanking wanting to always require 'aud'. Will be breaking change.
• Tighten it up by profiles.

7.2.   #1058: sector_identifier_uri should have a /.well-known/ path (James)

• It will be a breaking change.
• New document on sector identifier for multi-tenant probably is needed.
• Sector identifier can include path. We went wrong with not specifying that it should be the entire path instead of the host.
• Not sure if including .well-known works.
• 8.1 of Core.

7.3.   #1057: OIDC appears to override single-use nature of auth code in RFC6749 (Joseph)

• Brian and Mike has responded in ticket and Joseph is OK with it
• Some people use code as state mechanism
• Close the ticket.

7.4.   #1056: Use of id_token in RP-Initiated Logout as the id_token_hint (Rasitha)

• add POST support for endpoint so that URL length will not be an issue.
• Someone should create a pull request.

8.1.   Topics for the next call:

• Status of errata
• #1055: Limits on overall url length (Joseph)
• #1054: Do a survey on the revision of the OIDC (Nat)
• #1053: Impact of ITP2 on implicit flows (George)
• #1052: make clear that nonce is always required for Hybrid flows (Hans/Brian)

• Related to #972. It should be closed as "duplicate." Is Hans OK with it?
• There is a pull request No.4 https://bitbucket.org/openid/connect/pull-requests/4/clarify-that-in-hybrid-authn-requests for it.

The call closed at 00:02 UTC