Meeting Notes - 2023-04-28

# Meeting Notes - 2023-04-28 ## Participants - Atul Tulshibagwale - Kelley Burgin - George Fletcher - Joe Jubinski - Pieter Kasselman - Hannes Tschofenig - Arndt Schwenkschuster ## Policy dicussion * Pieter to share links for meeting with Atul, George and Hannes ## Use cases conclusion: * Keep use cass doc for working group * Pick a subset for the docs ## Appropriateness of [Aggregated and Distributed Claims](https://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims) We feel there are some mismatching requirements because: 1. The claim names have to be unique across all sources 2. The original JWT needs to be available 3. The user needs to bounce between all providers in order to get the JWTs in the first place ## [OAuth 2.0 Token Exchange](https://datatracker.ietf.org/doc/html/rfc8693) * We could potentially se the ".well-known" mechanism to discover the AS from a foreign trust domain based on a request from a resource server in that trust domain * Any client in Trust Domain A that needs to access a resource server in Trust Domain B must go through the AS in Trust Domain A in order to get the access token * The AS in Trust Domain A may discover the AS in Trust Domain B as described in the first point * We can borrow some learnings from Kerberos. They also had the issue of multiple realms and discovering (realm discovery) where the individual servers are * Kelley will look into how Kerberos does this * Arndt can also check with experts within Microsoft who will know about this ## MITRE update * The project that had this within its scope is no longer active, so Joe and Kelley will be spending time on this on their own initiative * This may affect the amount of time they spend on this (could be less) ## NIST Document (ZT Architecture for Access Control in Cloud Native Apps) * Recommended reading: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207A.ipd.pdf ## Spec Development * Kelley has converted the Google Doc in to a IETF form * Which repo can we put it in? * We can start with HackMD, once it is more mature we can take it to IETF