April 8, 2021 OpenID Board Call Minutes Present: Don Thibeau, Non-Executive Director Mike Jones John Bradley Nat Sakimura Takao Kojima Takehisa Shibata Wesley Dunnington George Fletcher Bjorn Hjelm Filip Verley
Absent: Arvind Kumar Garg Visitors: Mike Leszcz, OpenID Foundation Tom Smedinghoff, Locke Lord LLP Sam Goto, Google Ashish Jain, Arkose 1. Update on Google's Web Tracking Initiative Sam Goto joined the call as a visitor to update us on Google's web tracking initiative. Filip Verley gave a short presentation on the industry landscape. He credited Apple with shaking things up. He said that the browsers blocking third-party cookies was instrumental as well. Google is moving in privacy-protecting directions. Sam said that tracking has been abused. Third-party cookies are already blocked in Safari and Firefox, which breaks OpenID Connect session management functions. Redirects likewise enable tracking, which may also result in future changes. Tracking redirects are almost indistinguishable from identity redirect flows. George and Sam talked about the potential for identity-specific solutions. Nat asked whether there is an appetite for browsers to record a set of preferred identity providers for users. Sam said that there is. Sam said that none of these things are amenable to easy solutions and all come with tradeoffs. He said that browser permissioning comes with a whole team doing A/B testing. George talked about wanting to enable users to opt into functionality in some settings. John asked about possibly enabling browsers to detect IdPs because they use U2F and/or WebAuthn. Sam responded that heuristics are on the plate. Sam said that they have considered heuristics based upon request parameters to detect OpenID Connect flows. John asked about impacts on the postMessage flow. Filip said that Chrome isn't giving the rest of Google any special dispensations. Don said that we'll continue these discussions at the upcoming OpenID Workshop and in community meetings following it. Filip said that this is an industry collaboration, and we should consider them as part of the industry. [Sam left the call at this point] 2. Certification Team Update We are working on migrating the certification listings to using a back-end database. Serkan Özkan of the certification team is the contractor we've selected. We will use off-the-shelf WordPress plugins, where applicable. Serkan expects to do this work within the terms of his existing support and maintenance contract. We are planning for the need to scale the certification program. Australia and Brazil could generate request surges. We believe that we have sufficient resources to handle some extra capacity. Joseph Heenan, Serkan Özkan, and Edmund Jay are already processing certification requests. 3. FAPI Outreach Wes updated us on our relationship with the Financial Data Exchange (FDX). Wes is co-chair of the FDX security group. They are working to make the FAPI Advanced Profile and CIBA mandatory APIs. At this point, there's no open objections within the FDX security working group. They will be holding a vote to approve the recommendation. They should have results within a few weeks. Joseph Heenan and Anoop Saxena are also engaged in this work. The EC approved a limited-time 20% certification discount to workshop participants. We're engaged with the security working group advising the central bank in Brazil. We are scheduling workshops with Brazil. We'll use the Australian workshops as model. 4. Australian Consumer Data Rights (CDR) Engagement A series of workshops is scheduled. Joseph is engaged, and will do demonstrations using an actual Australian site. Anoop, Torsten Lodderstedt, and Dave Tonge are also participating in the workshops. 5. Corporate Representative Status Ashish Jain left eBay for Arkos. Mike suggested that we appoint Ashish as the replacement corporate representative. Tom said that, per our bylaws, there needs to be a new election. We'll work on this outside of the board meeting. 6. Liaison Report Don reported that our liaison relationships are in good shape. 7. W3C Web Payments Security Interest Group (WPSIG) John Bradley reported that WPSIG invited us to participate and potentially become a sponsor. The FAPI working group appointed Nat as a liaison representative. We will consider becoming a sponsoring organization, and therefore a co-chair. FIDO is already a sponsor. The browsers are participating in this work. The board unanimously supported our participation. 8. Delegation of Authority to Sign Contracts We unanimously approved Mike Leszcz to have the authority to sign contracts for the foundation until we have a new executive director. [Don left the call at this point] 9. Executive Director Hiring Update Bjorn reported on the status of the hiring process. He reported that we made an informal offer on Tuesday. We will have subsequent discussions with the candidate next Tuesday, after which we'll write up a formal offer if all parties agree to do so. 10. Future Events Mike Leszcz reviewed the foundation events calendar, which is at https://openid.net/foundation/calendar-of-events/. 11. Financial Updates eBay's membership payment was recently received.
April 8, 2021 OpenID Board Call Minutes.docx
Description: April 8, 2021 OpenID Board Call Minutes.docx
_______________________________________________ board mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-board
