Skip to content

2024 04 22 Meeting Notes

Jump to bottom
Tim Cappalli edited this page Apr 29, 2024 · 1 revision

2024-04-22 (A Call)

Organizer: Tim Cappalli

Scribe: Heather Flanagan

Agenda

  • Administrivia
    • B call rescheduled starting 5/1
  • Intros from new folks
  • Updates from incubation
    • Anyone from Chromium or WebKit have any updates?
    • Anyone prototyping with their wallet or verifier?
  • Federated Identity WG charter update
  • IIW Debrief
  • OpenID DCP F2F summary (notes)
  • Any updates or takeaways from recent PING meeting?
  • Updated explainer
  • Please review and add comments:
    • Tradeoffs of being more or less conservative in DC API velocity (#106)
    • Managing request format extensibility without sacrificing security (#102)
  • AOB

Attendees

  • Heather Flanagan (Spherical Cow Consulting)
  • Tim Cappalli (Okta)
  • Nick Doty (CDT)
  • Loffie Jordaan (AAMVA)
  • Chris Needham (BBC)
  • Joseph Heenan (Authlete/OIDF)
  • Brian Campbell (Ping)
  • Hicham Lozi (Apple)
  • Rick Byers (Google Chrome)
  • Helen Qin (Google / Android)
  • Benjamin VanderSloot (Mozilla)
  • Ted Thibodeau (he/him) (OpenLink Software)
  • Lee Campbell(Google / Android)
  • Andrew Regenscheid (NIST)
  • Ryan Galluzzo (NIST)
  • Manu Sporny (Digital Bazaar)
  • John Bradley(Yubico)
  • Gail Hodges (OIDF)
  • Oliver Terbu (MATTR)
  • Anil John (DHS)
  • Jin Wen (Nok Nok Labs)
  • Martijn Haring (Apple)

Notes

Administrivia

Reminder: B call rescheduled starting 5/1

Intros from new folks

Chris Needham (BBC)

Updates from incubation

Anyone from Chromium or WebKit have any updates?

did show a bunch of stuff during IIW. Will look for people that took video to re-share. Will also put on the agenda for a future meeting to replicate the demos.

Anyone prototyping with their wallet or verifier? n/a

Federated Identity WG charter update

  • New proposed charter text is in. Currently out for review in the normal W3C process (6 weeks of review). Please comment on the issue if you have questions/comments/concerns.
  • Link to diff from the original charter here.
  • Will the Digital Credentials work move immediately? That’s up to this group and the WG to ask that question and get consensus on the timing.
  • If your organization is not a member of the W3C, please let chairs know or put your name at the bottom of this agenda so we can either discuss how to get your organization to join OR how to get you involved as an Invited Expert
    • Reminder: anyone can add comments, create issues, review notes; membership is only required for joining live meetings and submitting PRs.

IIW Debrief

  • Notes from the FedIDWG + Digital Credentials session will be in the final notes; you can see them here now.
  • (Lee) There was a demo of the digital credentials work with a Google/Apple cross-device use case; the demo was received very well. Used the digital credentials work, the FIDO hybrid flow, using all expected APIs. Goal was to demo phishing-resistant, cross-device flows. Used the preview protocol, but could have used anything. Local use case used OpenID4VP. Will coordinate when to do that demo on one of the WICG calls
  • (Lee) Also demoed locally live through Chrome and with a native Android app using the same two parameters as the web flow.
  • (Lee) Lots of questions about the timeline. People saw value in this over the custom URL schemes.
  • (Torsten) were able to come to alignment regarding the OpenID4VP profile that we’re proposing to use for the Digital Credentials API. There is a PR in the OpenID4VP DCP working group now.
  • (Oliver) did a session on simplification of presentation exchange with Tobias and Kristina; we have a good proposal on how to simplify things.
  • (Kristina) compromise reached at IIW: the compromise is to reuse PE primitives as much as possible while redesigning what has not been working. mdoc part looks pretty stable but for JSON based formats needs more work
  • (Oliver) proposal can be found here.

OpenID DCP F2F summary

  • (Tim) other than the OpenID4VP profile, other takeaways?
  • (Rick) Payments and transaction confirmation was another big topic (overlap with W3C WebPayment WG priorities)

Any updates or takeaways from recent PING meeting?

(Nick) proposal about trustmarks or verification of verifiers was discussed; thought there would be different regulatory requirements involved. This isn’t a standing topic, but relevant material is likely to come back when PING has something they can add

Updated explainer

  • (Rick) There’s a lot of context missing that didn’t get into the explainer. Key thing is the additional background on the current state, where the industry is going without the browser API and where it can go with it. Tried to frame it as improving the UX and the privacy at the same time. Note in particular the four key properties in the explainer.
  • (Manu) “assume response opacity” might be a little shaky
  • (Rick) agreed; there is an open issue on this one.
  • (Torsten) might want to update the example in the explainer based on what’s in the OpenID4VP PR discussed above
  • (Rick) Good idea.
  • (Rick) Also working on the W3C security questionnaire; if anyone wants to work with Rick on that, let him know.
  • (Tim) reminder: explainer is a proposal for a new idea; it is not itself a spec.
  • (Ryan) May not be a bad idea to have some "what it's not" as well...to cover certain aspects we have consensus on excluding.

Please review and add comments

Tradeoffs of being more or less conservative in DC API velocity (#106)

  • (Rick) we had so many conversations at IIW to think about the tradeoffs, some thinking it’s too fuzzy yet to be included, others thinking we’re going to miss our window of relevancy. Added the issue so we can track the concerns. What happens if the W3C delays standardization for a year? Let’s track that.
  • (Manu) clearly we need to have a discussion about this. Right now we have the charter PR, we have an Advanced Notice to the membership, we have this issue; we need to focus this conversation in one place.
  • (Tim) this issue is the velocity of the API regardless of where it’s developed, so it’s a slightly different focus
  • (Manu) we need clear guidance as to where to post different comments
  • (Rick) no matter what we do, debate is going to be spread across a variety of forums. Not intending for this to be the canonical place, but want this community to have a place.
  • (Manu) agreed. This group is going to have to come to grips with all these comments. Suggest that no matter where these comments happen, we need to track them with “here’s the issue, here’s the discussion, here’s the decision.”
  • (Tim) at a minimum, if you see discussion, please add the link to it to this issue

Managing request format extensibility without sacrificing security (#102)

  • (Tim) this was triggered by the request of moving from string to object. String provides most flexibility but is most challenging for the user agent. Let’s circulate and add comments here. Your feedback would be most welcome.

AOB

(Gail) has a commitment to work on a roadmap to respond to NIST, CA DMV, EC. Will socialize that with this forum as well as the OIDF DCP WG, ISO, etc.

Clone this wiki locally