WG Meeting: 2025-05-27

# WG Meeting: 2025-05-27 ## Agenda - Messaging at Identiverse - Prescriptive / non-prescriptive nature - Clean up PR ## Attendees - Atul Tulshibagwale (SGNL) - John Marchesini (Jamf) - Sean O'Dell (Disney) - Yair Sarig (Omnissa) - Vladimir Slesarev (CyberArk) - Mike Kiser (SailPoint) - Stan Bounev (Blue Label) - George Fletcher (Independent / Great Guy) - Jen Schreiber (Workday) ## Notes ### Messaging at Identiverse - (Sean) What can we say about the "final" status of the specs at Identiverse - (Atul) Informally, we can claim that we are about to send out the last call for a V1 final for SSF. - (Atul) What is exactly in final...there might be some questions about it but we have doc history we can reference in the latest draft. ### Prescriptive / non-prescriptive nature - (Sean) I get asked about whether SSF can be used in a prescriptive way - (George) I always have to talk about it in IPSIE and OpenID Connect meetings - (Sean) Introducing a "Policy Events" profile or something like that would help in this regard - (Mike) We also need to be agressive about it because on IPSIE they were aligning OP Commands to their metrics (IL1/IL2, etc.) - (Atul) We could bring in [George's issue](https://github.com/openid/sharedsignals/issues/255) to v1Final - (George) Since it's non-normative, we could bring it in - (George) The argument centers around the SET spec saying something about SETs being informational - (Atul) by definition you cant assume a SET is a command but semantics can be interpereted as such (to be prescriptive) - (Sean) I say lets add it in to v1 Final to send a message about applicability - (George) Don't want to be constrained about cross domain trust, in reference to IPSIE. When an RP is integrated into your IdP you arent really crossing trust domains. You should be able to be prescriptive in that context. - (Atul) not sure it relates to cross domain trust. Just receiving a SET does not mean you ahve to "obey" it. Comes back to semantics and definition. - (George) if you are in a federation of 2 trust domains you can have prescriptive behavior, but tend to be informational. - (Sean) I disagree about first part integrations (RP's) with an IdP being informative. When an enterprise integrates with an RP, like a Salesforce or ServiceNow, it is under the context of the enterprises security guidelines and policies. With that said, if a CAEP event is issued by the IdP or SSF Transmitter to an integrated RP, as listed above, it is not an inform...it is a prescription to perform the requested action and inform the IdP when it is done. ### Clean up PR - (Jen) Please review my [clean up PR](https://github.com/openid/sharedsignals/pull/266) - (Jen) Please use the markdown linter when you write your PRs so that we don't have to do this again. - (Atul) Could you please update the Makefile to have a new target to run the markdown linter - (Yair) Perhaps also update the README? - (Jen) Sure (to both) - (Jen) Please turn off the white space diffs when you review, it makes the reviewing process easier. ## Action Items - (Sean) to address issue 255 (prescriptive semantics on top of SSF) in the SSF draft.