3.1.   DIF (Kristina/Tim)

• Virtual F2F on Jan. 19.
• Agenda will be finalized soon
• DID Auth will be presented at 8:00 PST
• DIF also interested in eKYC group.
• Will ask Don regarding Carin Alliance liaison status.

3.2.   W3C (Kristina/Tim/John/Mike/Tony)

Tony reported WebAuthn Level2 is candidate recommendation.

Last week, WebAuthn call discussed about Progressive Web Apps as WebAuthn authenticators.

No one understood the use case and went nowhere. Discussion centered around recharter for Level 3.

PWA as WebAuthN authenticators from security perspective doesn’t make sense, but should be able to use WebAuthn authenticators.

Tobias : Credential Handler API (CHAPI) polyfill facilitates verifiable credentials presentations. Allows authentication and facilitating claims presentation.

Tim also mentioned that CredMan is also similar. Credman is supposed to be a browser component that provides deferencing for federated endpoints.

https://github.com/w3c/webauthn/issues/1514 - That the request was translated as somebody wants to make a WebAuthn authenticator that can live as a progressive web app and auto magically register itself with the browser.

Web payments API can invoke WebAuthn to do transaction confirmation, authentication of well structured payment information.

Whether this is something that the OIDC WG wants to pursue or not needs to be made clear to the WebAuthn group. Need to make sure that our requirements are going to be taken into account.

What is important is

1. PWA Being able to call WebAuthn API as an authentication mechanism, and or encryption mechanism
2. Discovery of wallet

How does RP know what to ask for?

How to avoid NASCAR problem?

John and Tim will follow up on ticket or create new ticket to make sure OIDCs requirements will get communicated to WebAuthn.

4.1.   SIOP Special calls (Kristina/Tim)

• 20th - 10 PM UTC.
• DIF members will also be attending

4.2.   SIOP Draft Status

https://bitbucket.org/openid/connect/src/master/openid-connect-self-issued-v2-1_0.md

There were questions regarding scope which was addressed in December.

WG has agreed to adopt the SIOP document.

4.3.   Bi-Weekly Web Browser Calls (Tim)

• IsLoggedIn/WebID calls
• https://global.gotomeeting.com/join/379258645
• Occurs every 2 weeks on Wednesday effective Jan 13, 2021 until Dec 14, 2021 from 14:05 to 14:55 EST

6.1.   #1196: SIOP Credential Wallet as a PWA (Kim)

Kim will discuss with Tom to work on possible solution.

6.2.   #1198 - How does RP initiate SIOP request?

• #1196 - https://bitbucket.org/openid/connect/issues/1196/siop-credential-wallet-as-a-pwa
• PRF Extention may be relevant - https://github.com/w3c/webauthn/issues/1462

Native apps use openid://

PWAs Needs browser involvement. Need discovery otherwise will have NASCAR problem

Kristina recommended closing the issue and create a new issue for registration.

Discovery is a major problem. Will need to talk with browser people.

Tobias will attend the WebAuthn calls and report.

Shouldn’t tell RP in an unsecured environment everything about theuser.

RP sends a request and user/user agent decides how to respond to discovery.

RPs also don’t know whether the user has the authenticators that they need.

There needs to be balance between RPs wanting to control the optimal experience versus the user privacy.

One suggestion was for RPs to somehow indicate which trust framework they belong to and the browser intermediates to provide a choice.

There will be 2 components:

1. Indication of RP trust framework
2. Invoking something of browser (e.g. openid://)

Need a universal way for end users to register providers that respond to redirects locally and respond back to apps.

Ideally, something that is not specific to SIOP. Credential manager was supposed to handle this.

CHAPI already does a credential handler using polyfills.

Browser Payment Handler API has essentially solved the discovery problem but is no longer supported due to unsuitable methodology for web payments..