Wiki
Clone wikiconnect / Connect_Meeting_Notes_2021-08-10_Pacific
OpenID AB/Connect WG Meeting Notes (2021-08-10)
- Date & Time: 2021-08-10 23:00 UTC
- Location: https://global.gotomeeting.com/join/181372694
Agenda
- 1. Roll Call
- 2. Adoption of Agenda (Nat)
- 3. External Orgs
- 4. Events
- 5. Account Chooser
- 6. PRs (Nat)
- 7. Issues (Nat)
- 7.1. #1027: Write a Self-issued IdP (SI-IdP) Best Practice document (Nat)
- 7.2. #1010: Create a Threat Document about the Misuse of OAuth
- 7.3. #1248: Should _claim_sources member format (currently only JWT) be expanded?
- 7.4. #1249: Find less confusing names for actors in Aggregated Claims model
- 7.5. #1246: Binding of claims and presentation and OP
- 8. AOB
The meeting was called to order at 15:05 UTC.
1. Roll Call
- Attending: Nat, Tom, Vittorio, Jeremie, Edmund, Tim, Domingos, Kristina, Tobias, David
- Guest:
2. Adoption of Agenda (Nat)
- Adopted as is.
3. External Orgs
3.1. DIF (Kristina)
- there is a PE/OIDF call in DIF this Wed
3.2. W3C Fed ID CG (Tim)
W3C Fed ID working group now has a meeting schedule. alternates biweekly between pacific and European friendly TZs. The calendar invites went to the list today
4. Events
4.1. EIC (Nat)
- Vittorio, Tim, Kristina, Nat is coming.
4.2. Special Topic IIW on the business of SSI
- Last week.
- Anybody attended?
5. Account Chooser
- Tom asked if AccountChooser.com can be repurposed for SIOP.
- There seems to be some ...
- In the case of SIOP Chooser, the domain needs to maintain the list of SIOP that the RP trusts.
6. PRs (Nat)
6.1. PR 22: Issue #1244 Correct the schema property's value within the PE Definition
Four people approved it but Jeremy is still reviewing it. To be discussed in the next SIOP call.
7. Issues (Nat)
7.1. #1027: Write a Self-issued IdP (SI-IdP) Best Practice document (Nat)
#1027- DID WG was talking about it this morning.
- Apple and Google is adding software backup using keychain. It could change the security posture that is to be evaluated yet.
- Second key is bound to the context:
- W3C IRC log: https://www.w3.org/2021/06/16-webauthn-irc
7.2. #1010: Create a Threat Document about the Misuse of OAuth
Tom provided an example of a code of conduct that uses self-attested statements in US Healthcare. It is planned to push forward with a required audit in the near future. This solution applies only to federations. The Open Web is another issue altogether. https://www.carinalliance.com/our-work/trust-framework-and-code-of-conduct/
7.3. #1248: Should _claim_sources member format (currently only JWT) be expanded?
The sentiment of the Call on 2021-06-22 is that:
- the formats should be expanded to include things like X.509, CWT, etc.
- the formats must be integrity protected.
Microsoft has a wrapping format for JWT for ZKP for uProve and Idemix etc., so Mike may be able to provide reference to it.
7.4. #1249: Find less confusing names for actors in Aggregated Claims model
Provisionally agreed to Authoritative Claims Provider (ACP) and Intermediary Provider (IP) was suggested. The draft is to be amended accordingly.
7.5. #1246: Binding of claims and presentation and OP
Callers agreed that it does not have to be direct binding, but there needs to be a requirement that there MUST be binding whether direct or indirect.
Updated