# WG Meeting: 2023-12-12 ## Agenda - Updated [interop spec](https://sgnl-ai.github.io/caep-interop/caep-interoperability-profile-1_0.html) - review and next steps - SSF / CAEP / RISC Implementations Status ## Attendees - Atul Tulshibagwale (SGNL) - Phil Hunt (Independent ID) - Shayne Miel (Cisco) - Tim Cappalli (Microsoft) - Stan Bounev (VeriClouds) - Raymond Luo (Cisco) - Gail Hodges (OpenID) - Nancy Cam Winget (Cisco) - Tom Sato (VeriClouds) ## Notes ### Interop Spec Review and Next Steps - Latest [Interop Spec](https://sgnl-ai.github.io/caep-interop/caep-interoperability-profile-1_0.html) - (Shayne) The requirement for the spec to support both email and iss_sub, what does that mean for a Transmitter? - (Atul) I'll clarify that it is meant for Receivers - (Phil) Between any two parties, since we don't know what a relying party needs, we should be able to setup streams with different subject values - (Phil) A few years ago, Adam Dawes mentioned that there is no way 100s of thousands of OpenID clients agree on any one format - (Atul) The intent is to have a minimum standard so that your implementation can be called an "interoperable standard" - (Atul) Proposing to incorporate this into the SSWG GitHub and then request it to be voted on as an implementer's draft. Is it too soon to do that? - (Nancy) This feels like more of a testing / certification draft rather than a WG output that needs to be voted on - (Gail) We have a separate exercise to develop the tests, so if this helps with that. If this is a guidance document, then it doesn't need to be called a specification at all - (Nancy) This feels more like a set of configuration settings, rather than a new specification - (Gail) the FAPI group has something similar, we should check with them - (Stan) Why do we need this interoperability profile? - (Stan) Should we have a separate document, or can we just mark certain things as mandatory in the core spec? - (Nancy) It feels like some of the things should be mandatory in the specs themselves, but there are other things such as configuration settings, that should not be in the core spec - (Phil) What does it mean that an implementation "supports" an event? - (Atul) We cannot dictate how the products work, but the interoperability profile specifies that the software supports transmission or receiving of the events - (Phil) - (Nancy) A Receiver may not be the actual enforcer or processor of the event, but it can acknowledge the receipt of the event - (Shayne) So do we need a formalized way to codify that the event should be acknowledged - (Phil) Go to GitHub and search for GoSignals. It acts as a store and forward server. I have SCIM servers using it for replication. It is both Transmitter and a Receiver. It converts events from one format to another - (Atul) We could add language about acknowledging events in the interop profile - (Phil) We could have a testing harness that compares the jtis received and sent, and it should match - (Phil) There are three parts - an event generator, then a list of events that were sent or acknowledged, and then on the receiver side - (Stan) I have a question about the interoperability spec - we need to have "session revoked" or "credential change" - (Atul) These are the two events that have been identified, we can add more - (Mark) That has happened before, e.g. FAPI is an interop profile of OpenID Connect. High Assurance Interop Profile offers interoperability for Verifiable Credentials - (Gail) So the bottom line is that we should continue this as a specification, and the tests would get developed against that - (Mark) We have OIDC and FAPI conformance testing capability - (Gail) We should probably reconfirm with Joseph, but we have what we need to do in order to move forward ### SSF / CAEP / RISC Implementations Status - (Stan) Can we get an update about some of the larger organizations that have already implemented these specs, and the use-cases that they have implemented - (Sean) It's correct that larger organizations have implemented, but their customers are not able to interoperate with them, which is not yet possible - (Sean) Today I have to do so much proprietary work, I would just like to use SSF as a customer of these organizations ### Certification / Interoperability Testing - (Atul) The Gartner interoperability testing is going to be an intermediate step to full certification - (Shayne) So what will people actually see when they say they interoperate? - (Tim) You could have an overly verbose presentation that animates all the steps - (Sean) We did a vanilla app, that showed how a simple client called a session revoked and it showed you could no longer use the services - (Tim) We did a customer keynote at a previous job, and built a basic bot that sent notifications. - (Sean) You could use caep.dev to show the interop ### Co-chair - (Gail) Annabelle has been inactive for personal and work reasons - (Gail) The WG can take a decision to change her status as a co-chair, and have one or more co-chairs to come in. - (Gail) We can take a consensus decision if there is sufficient participation - (Atul) Should we ask Annabelle to step down, just like we did for Marius - (Gail) Any comments from Shayne about stepping up to be co-chair - (Shayne) Happy to, I'm already working with Tim and Atul closely on the editing and administration - (Gail) If anyone else is interested, please speak up / contact Gail - (Phil) I'd like to second Shayne's nomination - (Sean) Thumbs up for Shayne's nomination ## Action Items - Gail to start the process to effect the co-chair change by asking Annabelle - Atul to clarify in the interop profile that support for subject types is expected only of Receivers