3.1.   W3C Incuberter community group and privacy community group (George)

George introduced his concern around WebID proposal that was made to W3C incubator community group as follows:

Google has officially contributed, their web ID proposal into the W3C incubator community group. At a high level, the browsers want to intermediate identity flows and they want to intermediate identity flows because they want to be able to separate identity flows from ad tracking flows.

There's also sort of an underlying aspect in the sense of privacy where browsers want to be able to show the user, all the places you're logged in and be able to do things like,

"Hey, You haven't visited CNN dot com, you know, for the last eight days, but you're currently logged in, you want to stay logged in?" and then if the user says no, they wipe cookies.

There are all sorts of implications if they wipe all the cookies effectively, including the trust cookies that tell us that this is a trusted browser where George has logged in for two hours logged in from before. This basically turns it into an untrusted browser, which may mean you have to do an extra challenge. And if these things get wiped every seven days, the user experience for login across the web goes down.

There is another concern: Web ID is really looking at this largely from the use by individual users, surfing the web, not from enterprise use cases or academic federation use cases or even large organizations that use standards for the first-party authentication across their properties.

This is going to affect all parties that use OpenID and SAML.

Thus, we need more identity people in the in, and that's in the incubator community group to feed and add use cases and help people define.

To do so, a lot of us need to join the community group. They work through biweekly calls and GitHub issues.

• https://github.com/privacycg
• https://github.com/WICG/WebID

Nat asked the callers to join the group and start feeding use-cases, etc.

3.2.   DIF (Kristina/Markus)

Kristina and Markus reported that not much is happening in terms of DID=SIOP as it is supposed to be moved here.

Torsten asked if the most current spec has the claims handling capability as the version that Pam sent did not. Kristina replied that it is under discussion but not yet.

4.1.   SC27 (Nat)

Starting this Saturday for a week. There is an opportunity to report our activity to them. If there is a specific item that you want to draw their attention, please inform Tony Nadalin, the OIDF to SC27/WG5 Liaison officer and Nat.

4.2.   FDX Dev Con (Nat)

22nd and 23rd. Nat is going to make a keynote presentation. Some announcement around OpenID is expected in the meeting.

5.1.   OpenID Self Issued Identifiers (Tom)

Tom told the group that he is not getting any feedback and asked why.

Nat and John told Tom that it is partly due to him not sending the copy of the document to the list and thus WG cannot comment on it due to IPR restrictions.

He previously sent the link to his document[1] on Aug. 27 but as Mike Jones, the secretary, pointed out in the last meeting, it does not work from the IPR PoV as the content may change at any time.

[1] https://github.com/KantaraInitiative/DistributedAssurance/blob/master/OpenID%20Self%20Issued%20Identifier.md

Tom promised to send the copy to the list.

Markus told Tom that if it is needed to be taken up on the DIF side, it can be done as he is a co-chair there.

6.1.   1182 Add logout_hint parameter to RP-Initiated Logout request (Mike)

• https://bitbucket.org/openid/connect/issues/1182/add-logout_hint-parameter-to-rp-initiated

The issue was discussed over 30 minutes but has not come to a consensus. The main topic was whether to include client_id in the request parameter so that the error can be returned to RP so that RP can take appropriate action.

Mike Jones opposed the idea that adding a parameter will increase the number of combinations of possible parameters and will likely get less support from OPs but Filip and George were not convinced.

Filip also proposed a text in the issue that will be backwards compatible and yet allows the response to be returned to the RP.

John proposed a solution that requires the prompting and Filip told that it does not help him to load up the client and verify.

As it was approaching the end of the call, Nat intervened and asked to take the discussion either offline and report back to the WG or continue next week.