# WG Meeting: 2023-02-07 ## Agenda - [Atul] PR Update - Any New Inputs - [Eric] Stream Configuration Question ## Attendees - Atul Tulshibagwale (SGNL) - Greg Brown (Axiad) - Vinayak Shenoy (Okta) - Shayne Miel (Cisco) - Eric Karlinsky (Okta) - Debora Comparin (Thales) - Stan Bounev (VeriClouds) - Edmund Jay () - Hemil (Yahoo) - Frank Taylor (VMware) - Mike Kiser (SailPoint) - Steve Venema (ForgeRock) - Gail Hodges (OIDF) - Matt Topper () ## Notes ### PR Update - One more pull request in the works ### Use Cases - Frank would like to get involved in the use-cases discussion - How customers connect this technology to the various products they are buying. How does VMWare play in that space, and how do customers integrate - We do not have a clear view into how various products use various events. - We should start with the older use-case document and make it current to reflect the current interest from the WG - We should aim for interoperability testing between products - There are some private efforts of interoperability testing - It will help for implementers to showcase this technology - Two levels of interop: technical interop and value demonstration - An "Architecture Document" could be really useful - There is a Catch-22 with this standard right now: There is hesitation because the use-cases are not clear, and because use-cases are not clear there is hesitation - What is the consensus around how each of these CAEP events would work. There are just 5, so it should be doable. - Eric Karlinsky can take the lead, Steve Venema, Stan Bounev, Frank Taylor, Vinayak Shenoy and Atul Tulshibagwale can help. - Is anyone aware of OIX? They have a Guide to Shared Signals (Aug 2022) - NIST has an interest in using RISC events - Current doc that could serve as background is [here](https://docs.google.com/document/d/1tmMqiXNB-lW9HXIzrivOvaFSts23zAzKLWPcSD740kE/edit#heading=h.fsduc31pruxn) ### Slack Channel Update - OIDF cannot affort the cost of the Slack channel - Free version deletes messages after 90 days - So we can have informal discussions on Slack, but any formal communication needs to be through the Listserv - Some entities are not allowed to use Slack - OIDF is looking for an alternative to Slack - Reach out to Mike Leszcz <mike.leszcz@oidf.org> to get yourself added. - ### Stream Configuration Question - When there are multiple subject entities in a complex subject, - There needs to be more precise specification of a list of users in a subject definition. - [Shayne] If you want to specify multiple subjects, the spec allows for it. Q: How? Add Subject only taks one subject - Okta would like to know the specific list of IDs for whom the events need to be sent, which cannot be achieved by specifying it as a general "tenant" - This comes down to the use-case: Who is the Transmitter, what is your relationship. One may have different Transmitters for device management and user identities, and the streams with those Transmitters would cover all members of the respective tenants - This might work for simpler organizations, but for complex organizations, this abstraction may fail - Is the ask that there should be multiple subjects in the same "add subject" event? A: It could be a group of users within a tenant. - There is a "group" subject type. But the Tx and Rx would need to agree on the group membership. - Wouldn't this even be true of user identities? Tx and Rx need to know that they're talking about the same user when they pass a shared identifier. - Yes, there needs to be agreement, but there needs to be an extra level of coordination between Tx and Rx in the group case - In agreeing to the group membership, Tx and Rx may share user Ids, so that exchange could be used instead of the group. - Could SCIM be used for group membership agreement - One more approach: Use the Receiver to make "add event" calls to specific members instead of the whole group - There's a job to be done between the Rx and Tx about group membership agreement. That can be done by just adding individual members to the stream, or it can be done out-of-band, and then referred to in the protocol - If instead, there was an "add subject" method that allowed multiple subjects to be added together, it could be easier. - Pre-agreed groupings are a higher complexity than user-identity (it would seem) - There is a transactionality to it: An add-event with multiple members is an all-or-nothing semantic, whereas multiple add-events could result in some being added and some failing to be added - "Cold start problem" - SCIM could be useful, but is there a way to avoid that dependency - Perhaps we can tackle this as a part of the use-cases work ### IIW WG Meeting - Atul to send out a form to solicit interest in the in-person meeting on the Monday before IIW Spring 2023 - We should arrive at an agenda for this meeting - The OIDF workshop covers all workgroups' activities, but this WG meeting would be separate and we would talk about specific agenda items that are interesting specifically to the WG members - This can be an agenda item for the next meeting - Hybrid is also a possibility - Confirm if it's in SF or Mt View - ## Action Items - Atul to reach out to Asad (Thales) to get the use-cases document - Gail and Steve to discuss OIX approach - Eric and Atul to talk about previous work - Atul to send out a form to gauge interest in an in-person meeting around IIW Spring 2023