# WG Meeting: 2024-12-17 ## Agenda - Interop recap - OIDF Conformance Tests Workshop - Schemas - Special Topic Group ## Attendees - Yair Sarig (Omnissa) - Thomas Darimont (OIDF) - Apoorva Deshpande (Okta) - Erik Gomez (JGSW) - Martin Gallo (Individual) - Mike Kiser (SailPoint) - Brian Soby (AppOmni) - Sean O'Dell (Disney-) ## Notes ### Interop at Gartner IAM Dallas - (Brian) Usage of session-revoked as an action seemed to indicate that there might be room to include the idea of "actions" within the standard - (Shayne) Nice to see more fleshed out product demos. Attendees already knew about the spec. - (Yair) Gartner pushed heavily for SSF. - (Mike) Definitely a more mature audience. Still had to explain difference between SSF and CAEP/RISC. Less chaotic because of 6 sessions. Lead to deeper discussions. - (Yair) People had a hard time wrapping their heads around continuous evaluation. - (Brian) The "Session hijacking" framing was useful for explaining why we want that continuous eval. - (Martin) Is there any write up available with interop tests results themselves? Like what vendors’ implementation were there and what flows where able to be tested against (transmitter, receiver, both, etc)? - (Apoorva) OIDF blog on the interop - (Elizabeth) Published blog at the beginning of the interop and hoping to publish another one soon. - https://openid.net/shared-signals-interoperability-at-gartner-iam/ ### Conformance Tests - (Thomas) Planned to do during interop but due to logistics we decided to postpone until January - (Thomas) I will introduce you to the suite and provide some guidance on how to test. - (Thomas) 1-2 hour workshop. Jan 28. An hour earlier than the regular SSF call. - (Shayne) Is there anything we need to do in advance to prepare? - (Thomas) I have access to several different environments to test the tests. If anyone else can give access to other environments, that would be great. - (Thomas) The tests can be run in multiple ways: locally (Java/Springboot) and in the cloud. - (Thomas) We will record for anyone who cannot attend. Be careful not to leak secrets. - (Apoorva) Is this a demo or the final product? - (Thomas) Not a demo, but still being developed. We will take feedback and apply it. ### Special Topic Group - (Sean) A lot of interest in the MDL and OID?? community. We want to talk about how to enable SSF to be a trust framework that reaches out beyond identity. Originally an ask for a Community Group, board recommends a Special Topic Group. - (Sean) More about the applicability of Shared Signals and using it as a trust framework, implementing it for use case rather than the particulars of the spec. - (Sean) The goal of the Shared Signals CG (now a Special Topic Group) is to consider the end-to-end design principles for \achieving scale through the sharing of signals, “crossing the chasm” to global adoption. The concept of fraud signal sharing for digital identities is relatively new but considered by many to be of paramount importance for building trust in the security and integrity of their systems, thereby a significant factor for encouraging adoption by businesses. Shared signals enable better collaboration and communication between identity providers, relying parties, and users to establish a framework for entities to share relevant information about identity events or states while preserving privacy and respecting user consent. - (Sean)Initial scope is to establish Fraud event topologies and taxonomy and essential data points required for signal generation. - (George) It's more about the underlying transport/distribution mechanism, and what other problems can we solve with it? - (George) If you're delivering a VC through a network like ?? you've lost the binding mechanism, so what does that mean for use cases. - (Nancy) We need to understand the IPR and how it will map back to the original SSF working group. Special Topic Group is _under_ the working group. We need the chairs to say they will create some new cadence for this topic. - (Elizabeth) I can support the chairs if they need anything in setting this up. - (Nancy) You want the members of the WG to be aware of what is happening in the Special Topic Group - (Sean) We will make sure that we have some cross-representation. - (Shayne) We will have a recap of what happens in the Special Topic Group at the beginning of the WG meetings. - (Gail) The charter (still in draft): https://docs.google.com/document/d/1vdJtIH7z3S8Fu_YzgQF9hp6MLQfYpVmD3ijU8YaIq5w/edit?tab=t.0 - (Gail) No further process needed. As soon as the WG likes the charter, it is up to the co-chairs to set up the mailing list/meeting cadence/web page. ### FS-ISAC Collaboration with SSWG - (Gail) Had a call with Steven the CEO of FS-ISAC was productive as a first call. He did think it was strange that none of the members active in his org had brought up shared signals to fs-isac attention. He definitely had a couple questions I could not easily answer, but it sounds likely he will follow up pre or post holiday on next steps as he reflects We did talk about the fraud, aspen institute effort with OIDF is also supporting- that is one good angle for collaboration. There was also mentioned the subgroup we are likely to form. If any of you have colleagues that are managing the FS-ISAC relationship (like a head of fraud perhaps?) you may want to raise the topic on your side with them? I indicated that with Shared signals just now reaching a tipping point of adoption it just might not have come up yet… I did mention that there may well be another interop event in London with Gartner, but that if they have relevant events it could be worthwhile thinking about that together. But first things first, I suggested a follow up with a few experts on both sides to explore fit and if a good fit, then approach. ### Schemas - (Jen) Sharing screen of schemas - (Jen) Some problems encountered when trying to write the CAEP events as JSON schema: - The JSON schema langauge is not particularly easy to understand for non-developers - The places where we have put optionality (types of token, etc) are tricky to write as JSON schema - (Jen) Concern that this is not the right path - (Sean) This is still increbily useful - (Shayne) The schema is useful because tools can get us to langauge models ## Action Items