# WG Meeting: 2024-01-09 ## Agenda - New co-chairs - Interoperability meetings - [Apoorva's Interoperability spec PR](https://github.com/openid/sharedsignals/pull/134) - [Opaque format PR](https://github.com/openid/sharedsignals/pull/137) ## Attendees - Atul Tulshibagwale (SGNL) - Apoorva Deshpande (Okta) - Tom Sato (VeriClouds) - Shayne Miel (Cisco) - Peter Travers (MongoDB) - Mike Kiser (SailPoint) - Stan Bounev (VeriClouds) - Sean O'Dell (Disney) ## Notes ### [Apoorva's Interoperability spec PR](https://github.com/openid/sharedsignals/pull/134) - Apoorva: Adds details about how OAuth will be helpful - Apoorva: Details around the scopes, TLS version, flows - Shayne: Downplay how much the interop is "about" OAuth, as per Atul's feedback - Atul: Instead of saying this is a profile of OAuth, let's say this specifies a profile of an OAuth server when used with an SSF Transmitter ### [Opaque format PR](https://github.com/openid/sharedsignals/pull/137) - Shayne: If we want verification events, we must provide opaque ID subjects for the stream ID - Apoorva: Can we specify that we _only_ support opaque for the verification event? ### [New co-chairs] - Atul: We've asked Anabelle to step down and she has agreed - Atul: Shayne Miel and Sean O'Dell are interested in stepping up as co-chairs - Atul: We'll send out an email about proposal and next meeting make it official - Apoorva: Do co-chairs need to be limited to a single working group? - Atul: That's a question for Gail ### [Interoperability meetings] - Atul: Interest from Cisco (Duo), Cisco (Webex), Okta, SGNL, VeriClouds, SailPoint, Disney - Atul: We need to agree what are the use cases - Atul: Need to identify what changes need to be made to the interop spec - Atul: Propose 30 min every week to work on interop (first 30 min of standard biweekly meeting and an additional 30 minutes on off-weeks) - Mike: What are the details of the event? - Atul: Gartner providing venue, there is a session (Atul is speaker), Gartner is providing a room where implementors can demo their Transmitters and Receivers - Atul: Implementations do not have to be production code. Prototypes are ok - Apoorva: What should we do about versions for CAEP? ### [Use Cases] - Stan: When promoting SSF/CAEP/RISC, it would help to know the use cases - Stan: We want to move from just the events to a full end-to-end use case. Tell a story about an org that wants to increase security and how these tools can make that easier. - Atul: All of the events are about security, but the use case varies from event to event and company to company. - Atul: Agree that we do need to have these end-to-end use cases on the SSF website. - Stan: We can share the use cases we are building around. - Sean: Use cases have been golden for us - Shayne: Do we want to add info about why SSF is important here, in terms of re-usability etc - Sean: Yes, and the openness of the standard - Stan: Are we doing something secure when transmitting these potentially sensitive events? - Sean: If it is internal within your company, a signed JWT is fine. If it is external it should be a JWE. But then you have to swap certificates, etc. It also depends on how sensitive the data in the event is. - Stan: Thoughts about using CAEP for CIAM use cases? - Sean: Assume you subscribe to a streaming service. Whenever it seems like someone has logged into your account, they sign you out of everything. But with SSF we could use Session-Revoked with a device identifier and only log you out of specific devices. This does 2 things: lets your user know you care and lets you collect feedback from users about false positives ### [Tokyo OpenID event] - Tom: Next Thursday there is an OpenID hybrid workshop in Tokyo. We'll be there giving an overview of SSF and what VeriClouds has been working on. - Tom: On Friday, the OpenID Japan summit. More than 300 people attending. FIDO did a large meeting last month. At the summit, Tom will be talking about SSF, including info about the interop event. ## Action Items - Shayne: Update Opaque PR to limit to verification event only - Apoorva: Add versioning info re: CAEP to the interop spec - Stan/Sean: Add use cases to repo