April 4, 2018 OpenID Board Meeting Minutes Present: Don Thibeau, Executive Director Brian Berliner Adam Dawes John Bradley George Fletcher Tony Nadalin Sarah Squire Mike Jones
Present on the Phone: Nat Sakimura Bjorn Hjelm Ashish Jain Absent: Prateek Mishra Tushar Pradhan Masato Obata Visitors on the Phone: Tom Smedinghoff, Locke Lord LLP Mike Leszcz, OIDF 1. Liaison Update Dave Tonge will be our liaison to ISO/TC 68/SC 9 - Information exchange for financial services. They will have a meeting May 14th in Zurich. We are establishing a liaison relationship with ISO/IEC JTC 1/SC 27/WG 5 - Identity management and privacy technologies. 2. RISC Update Adam reported that the RISC working group plans to request an Implementer's Draft vote for the current RISC spec. RISC will have a face-to-face meeting this week. 3. Certification Update Mike reported that the OpenID Certification program won the Identity Innovation Award last week at the IDnext conference. See https://openid.net/2018/03/29/openid-certification-program-wins-2018-identity-innovation-award/. Mike reported that Hans Zandbelt is fortunately recovering from his auto accident and is now able to do some work on the certification program. Mike said that he needs to review the Form Post Response Mode tests before adding the new profiles for those "testing the tests". There may be an option to have college students being mentored by VMware employees do some enhancements to the certification code. One good project would be adding certificate-based authentication and an option to require signed requests so that Open Banking deployments could be tested with the certification test tool. We discussed the status of the Open Banking/FAPI test suite that has been produced by FinTech Labs and its contractors. While OIBE's intent is to hand over that effort to the OpenID Foundation, there currently aren't any financial or people resources allocated for maintaining and operating the test suite. Don is working with them to clarify their intent and develop a plan that works for everyone. George pointed out that it would be odd for us to operate a test suite for specs that aren't OpenID specs. It may be possible to eventually use it to test either Open Banking or FAPI conformance. We discussed the possibility of charging significantly more for Open Banking certifications than the current certifications - possibly enough to actually cover our costs. Mike reviewed some of the conclusions from Hans Zandbelt's report on the Open Banking test suite. He noted that much of the functionality in the OpenID Certification test suite is missing in the Open Banking test suite and there are no plans to add it. For instance, of the 6 defined response_type values, only one (code) is supported. We agreed that it would be good to add functionality to the OpenID Certification test suite so that Open Banking deployments can run it - in addition to the Open Banking specific test suite. 4. Women in Identity Microsoft has provided directed funding to the Women in Identity effort through OIX. 5. Board Meetings at IIW George suggested that we try to schedule future board meetings at IIW at times that have less impact on the workshop. Thursday afternoon or late Monday afternoon seem like good options. Don will plan to have the next one after the Monday workshop at VMware. 6. New RP Libraries Adam described a Google-funded project to build new RP libraries with better support for JWTs and security best practices. They are working on Python, Java, and JavaScript implementations. They are building on the open source Auth0 libraries for Java and JavaScript and Roland Hedberg is doing a new Python library. Adam would like them to be owned by the foundation in the same way that the AppAuth libraries are. Tony was supportive of that. Adam hopes that Auth0 will accept the changes made by the foundation into their code. We will have to work out change management for all the libraries. George said that we are taking on SLA responsibilities to, for instance, fix critical vulnerabilities in a timely fashion. Adam believes that because the libraries will be used in production, there will be resources to maintain them. 7. Renaming FAPI Tony stated that the FAPI name is causing confusion in the marketplace. Tony is suggesting that both the working group and the specifications be renamed. John reported that some Polish planners have been confused into thinking that they couldn't have their own API and use FAPI for their PSD2 work. Mike asked if the spec abstracts provide good descriptions from which we could derive good names. (They didn't.) We should also change the scope to make it not specific to financial data. It should capture that it's for high-value, high-security transactions. John said that that some aspects of the specs currently are financial. We could break those aspects out into a separate financial profile. Tony agreed to work with Nat and Sarah on new names. 8. Upcoming Events and Member Recruitment Members are encouraged to talk with organizations that are depending upon OpenID Specifications but that are not currently members about re-engaging with the foundation. This can be done at upcoming events. Tony said that it's also important for those doing implementations to engage, in part so that what they are building is interoperable.
April 4, 2018 OpenID Board Meeting Minutes.docx
Description: April 4, 2018 OpenID Board Meeting Minutes.docx
_______________________________________________ board mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-board
