1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect

Wiki

Clone wiki

connect / Connect_Meeting_Notes_2021-08-12_Atlantic

View History

OpenID AB/Connect WG Meeting Notes (2021-08-12)

The meeting was called to order at 14:05 UTC.

1.   Roll Call

  • Attending: Filip Skokan, Tom Jones, David Chadwick, Nat Sakimura, David Waite, Tim Cappalli, Pawel Kowalik, Jeremie Miller, Kristina Yasuda, Adam Lemmon, Chandon, Edmund Jay, Torsten Lodderstedt, John BradleyTorsten
  • Regrets: Mike
  • Guest: Andre Barnard (Singular Systems)

2.   Adoption of Agenda (Nat)

  • This call is dedicated to the Federation draft.

3.   Events (Nat)

3.1.   EIC (Nat)

We, as a WG, will be presenting on Sept. 13 at EIC. Need to come up with a presentation. If you have specific talking points, please chime into issue #1275.

There are a bunch of people attending EIC from this WG.

On-site: Nat, Torsten, Mike, Tim, Kristina Virtual: David C.

4.   External Organizations

4.1.   ISO/SC17/WG10 (Kristina)

Preparing to send out a liaison request with Mike L.

4.2.   W3C

DID Core is going through the voting.

5.   PRs

5.1.   PR39: merging CP into CA

Agreed to the following:

  1. File the issues for each comment provided in the PR.
  2. Merge the PR.
  3. Immediately follow up with the issues filed in 1. The highest priority is to decide on how to express the "credential type" (e.g., VC, Signed Claimset, etc.) requested in the claims request.

6.   Issues

6.1.   #1268: Issues in the comment PR 34 by Torsten

The WG agreed to split this issue into individual issues so they can be tracked separately.

6.1.1.   Section 2.2 bullet 1

The draft is missing a parameter to determine the credential type. This is important to allow OPs to support multiple credentials, e.g. a bank could issue identity and credit score credentials, without to need to setup different issuers.

=> Will be filed as Blocker

6.1.2.   Section 2.2 bullet 2

"Public private key pairs are used by a requesting Credential Holder to establish a means of binding to the resulting credential. A Credential Holder making a Credential Request to a Credential Issuer must prove control over this binding mechanism during the request, this is accomplished through the extended usage of a signed request defined in OpenID Connect Core.“ Does this mean the holder can prove control using a signed authentication request? If so, why isn’t the credential provided in the token response?

Adam replied that the currently proposed mechanism is to include the identifier that is bound to the key pair in the request and sign the request using the signing key in the key pair. David C and John B agreed that would work.

Then, Jeremy pointed out that will not work for ZKP/BBS+ case and explained how it could work.

Apparently, there need to be more than two mechanisms to support, and potentially we need an extension point for further expansion.

This issue will be discussed in the new separate ticket.

7.   AOB

Please vote (even abstention will work) to CIBA Core and SSE voting.

The meeting was adjourned at 15:02 UTC

Updated