WG Meeting: 2024-03-19

# WG Meeting: 2024-03-19 https://hackmd.io/@oidf-wg-sse/wg-meeting-20240319/edit ## Agenda - Meeting structure changes (5 min) - Existing action items (5 min) - Continued discussion (10 min) - Open PRs (20 min) - Recent issues (20 min) ## Attendees Please add yourself here or enter your name and organization in the chat. - Shayne Miel (Cisco) - Apoorva Deshpande (Okta) - Phil Windley (AWS) - Stan Bounev (VeriClouds) - Frank Gasparovic (Silverfort) - Matt Topper (UberEther) ## Exiting action items - Shayne: Update Opaque PR to limit to verification event only [DONE] - Apoorva: Add versioning info re: CAEP to the interop spec [in PR #134] - Stan/Sean: Add use cases to repo ## Continued discussion (10 min) ### IIW - Do we want to meet? - (Steve) IIW coming up. Do we want to get together there? Mountain View. - (Dean) OIDF meeting at Google Campus. Week of April 15th - (Steve) OpenID usually does a half day before. Someone should be prepared to present. Steve is willing to present if needed. - (Phil) It would be nice to have someone present at IIW itself. ## Open PRs (20 min) ### [146: Minor editorial nits](https://github.com/openid/sharedsignals/pull/146) - Awaiting approval from one more editor ### [145: Fix Indefinite Articles Before "SSF"](https://github.com/openid/sharedsignals/pull/145) - Awaiting approval from one more editor ### [142: Clarify verify event response code](https://github.com/openid/sharedsignals/pull/142) - (Apoorva) Found this during interop - (Shayne) The Transmitter wants to know that the Receiver got the verification? - (Shayne) Is the acknowledgement enough? - (Sean) I think we need more - (Apoorva) Let's spin that "more" into another discussion - (Apoorva) Can we add a reference to the push spec? ### [134: Include OAuth specifics in the interop spec](https://github.com/openid/sharedsignals/pull/134) - Waiting on changes from feedback ### [120: Issue 116 - Added support for receiver streams](https://github.com/openid/sharedsignals/pull/120) - Wait for Phil Hunt for discussion ## Recent Issues (20 min) ### [140: Allow Receiver to supply public key](https://github.com/openid/sharedsignals/issues/140) - (Shayne) Suggestion is to allow the Receiver to add an optional public key during stream creation/update. SET gets sent as a JWE. - (Apoorva) Dynamic client registration through OIDC allows pre-registering the public keys. We could also register the aud value at that time. - (Shayne) Is there a means to update the value if we need to cycle the keys? - (Jen) Yes, if it is implemented correctly. - (Sean) This means the Transmitter would have to support multiple keys at the same time for a client. - (Jen) You're saying that it is not intuitive to support multiple keys? - (Sean) Yes. We need support for multiple keys. - (Mark) [OpenID Federation client registration link](https://openid.net/specs/openid-federation-1_0.html#name-openid-connect-client-regis) - (Steve) Do different streams for the same Receiver need different keys? Perhaps if one is more sensitive than another. - (Apoorva) It might be operationally difficult to have some streams sending a JWT and others sending a JWE. The security properties should be a communication between entities. - (Apoorva) For signing we don't support the idea of using different keys per stream - (Apoorva) What are we achieving by encryption per stream? Do the messages have different parity? - (Shayne) Is this an issue for testing? Is it easier to test this if it is per stream? - (Mark) Testing for FAPI already requires the test to set up multiple clients, so there is prior art for this. So we could have one encrypted client and one non-encrypted client. - (Mark) A thing that might help would be to jot down the positive and negative features for each new feature that is created. - (Apoorva) What is the difference between conformance testing and interop testing? - (Mark) Conformance testing is an open source tool that you use to test your Transmitter and/or Receiver. That is different from proving you can interoperate with an actual other company. - (Bjorn) Conformance testing is before you go into mass production. Some companies may require that you pass in order to work with you. - (Shayne) What kind of language do we need in the spec to talk about dynamic client registration? Lots of MAY statements? - (Mark) Other specs have a "security considerations" section where we could add this. ### [141: Mark fields optional or required in StreamConfiguration](https://github.com/openid/sharedsignals/issues/141) - (Shayne) Only one option is currently marked "optional". Should they all be decorated optional/required? - (Apoorva) That is helpful for implementation. - (Mark) What about conditionally required items? I'll share some [examples from other specs](https://openid.bitbucket.io/ekyc/openid-connect-4-identity-assurance.html#name-op-metadata). ### [143: Push based- Incorporate Server-Sent Events (SSE)](https://github.com/openid/sharedsignals/issues/143) ## Other topics ### Blog post - (Mark) Gail wants to create a blog post about the interop event. If you wish to contribute, please contact her or Mark. ## New Action Items - Stan/Sean: Add use cases to repo - Steve: Follow up with Gail on slack about OpenID meetup before IIW - Shayne: PR for encrypting SETs based on today's conversation, dynamic client registration