April 25, 2022 OpenID Board Meeting Notes Attending In Person: Nat Sakimura George Fletcher Vittorio Bertocci Don Thibeau Mike Jones Mike Leszcz Nancy Cam-Winget John Bradley Gail Hodges Kosuke Koiwai
Attending Remotely: Asish Jain Bjorn Hjelm Wes Dunnington Takehisa Shibata Takao Kojima Luis Da Silva Absent: Filip Verley Guests Attending In Person: Debbie Bucci - Equideum Health Lori Jordan - Visa Torsten Lodderstedt - yes.com 1. Health Landscape and OpenID Opportunities Debbie Bucci addressed the board on this topic. IHE coordinates the use of existing standards to address specific clinical needs. HL7 is another relevant ANSI-accredited standards body that focuses on the sharing and management of Health data. Both organizations have liaison or special agreements that permit them to share their profiles/standards with ISO TC 215 for consideration. She suspects there may be some work to extend 27001/27002 for domain specific activities not necessarily covered under TC215 but she has yet to locate anything specific as of our meeting. She said that there's a lot of opportunities to contribute to the health standards space. OIDF may consider liaison agreements with either IHE or HL7 to directly impact work that is in progress at the pilot stage - still evolving. She said that having so much optionality will not get you to true interoperability. There are a number of ongoing efforts that require interoperability in exchanging health data both at the network of networks layer and enabling patient/consumers to manage their data directly. Gail asked if the board had feedback for Debbie in her investigations. Vittorio said that he felt like any investigation into GNAP would be a distraction. Gail is hoping for the healthcare community to not create their own protocol standards. We talked about consent and authorization. Vittorio suggested looking at the Kantara consent receipt work. Nat said that some of that has been brought to ISO. Debbie asked about the status of FAPI 2. Nat said that the security analysis work is starting. Torsten said that there's a spec for explicit content management/grant management. 2. Discussion on GAIN Torsten talked with us about GAIN. He said that a community group is different than a standards effort. He said that they have a very diverse group of participants, which is a value in itself. What's missing is something to manage networks of providers. Torsten said that there's substantial participation in GAIN by people from the SSI community. Torsten said that we can contribute to interoperability in that space. Torsten told us about conversations in the EU about interoperability of identity systems. He said that he's telling them that using multiple credential formats will hurt interoperability. And that interoperability will be helped by using OpenID Connect between the wallet and other parties. Gail and Torsten are hoping for some pilots to be up and running this year. The community group started in March. It took several months to create the participation agreement. The community group has two different alternating meeting times that work well for different jurisdictions. Don said that he thinks that OIX was very conservative in estimating that projects will take 2-3 years. He hopes that OIX and OIDF can find a middle ground together. Torsten talked about interoperation between trust frameworks. Torsten said that RPs are being slow to implement. Torsten said that the test networks are using no data about actual people - in part, to avoid legal and privacy issues. John surmised that those building components likely must have theories about how they will eventually monetize their participation. Torsten said that providers seem more enthusiastic than RPs - possibly because they expect to be able to monetize providing the data. Vittorio asked whether it would be possible to put a small slice into production - possibly with only one OP and one RP. Torsten said that technically yes, but the RP might wonder why they want to enter production with only one OP. Torsten is working on several non-regulated identity verification use cases. For instance, identity verification for Domain Name registration. GAIN has participation from Microsoft, Meeco, InfoCert, which have incompatible wallet formats. 3. Discussion: Global Initiatives - EU Digital Wallet Initiative & OECD Privacy Enhancing Technologies (PETs) Torsten talked about tensions among different groups developing wallet formats. He talked about the EU wallet initiative and participation by member states. He said that there is an expert commission. There's a tender to work on the EU Wallet standard. There's a short timeline for providing feedback on an OECD document on privacy enhancements. Mark Haine has been working on that. 4. OIDF Strategy and Initiative Progress There are a half dozen whitepapers being worked on. The Open Banking / Open Data whitepaper is published and is having a very positive response. 5. Marketing Mike Leszcz let us know that the strategy taskforce solidified much of the strategy and messaging being worked on. That will inform our messaging. Carla Roncato is gathering data to prepare recommendations for a Website update. Carla is considering how we can enhance our strategic social media presence. 6. Kim Cameron Identity Award Pilot We agreed to provide travel funding to three recipients to EIC. Our accountant suggested several tweaks, which we have implemented. He suggested adding a "per diem" update to our expense policy. There was an update to the airfare policy. Submissions are due at the end of today. We will review submissions on Wednesday morning prior to IIW. Mike, for the record, applauded Don's direction to honor Kim with something that makes a difference, rather than just standing on stage and talking about him. 7. Resolution to Approve Updated Travel and Expense Policy The resolution was unanimously approved. 8. Budget Report John gave us a budget report. We are slightly over budgeted amounts on legal fees. Our projected cash at end of year is above $700,000. There are full financials to review in the membership dashboard. Mike Leszcz talked about the mechanics of paying the OIDF Japan chapter their share of designated member dues, if requested by OIDF-J. We are sponsoring Identiverse. Microsoft allocated a longstanding directed funds balance to have the OpenID Foundation support the OAuth Security Workshop (OSW). 9. Emerging Issues and Opportunities We already discussed the identity award pilot. George reported that the browser changes conversations are frustrating, as breaking changes appear to still be on the horizon that will break redirect-based identity protocols. Vittorio said that he's a big believer in the market correcting problems itself. Vittorio advocated helping the industry move from SAML to OpenID Connect because while Connect can be ready for the changes, SAML deployments will likely break in unfixable ways. George considers WebCM to be a new identity protocol being written by non-identity people. John expressed that once these things are baked into the browsers, our ability to maneuver will largely be gone. Nancy asked whether we can have a security review and that there should be a well-defined threat model. Gail asked if it was time for us to take additional actions. Vittorio thought that a letter won't be effective until something breaks. Nancy thinks that education is very important; she's seeing privacy changes that break security. Vittorio and Nancy talked about highlighting the interdependencies between browsers and identity. Mike said that our open letter to Apple was successful because it contained actionable feedback that was clearly in Apple's best interest. Apple did take the actions identified. Mike said that any letter we write on the proposed browser changes should aspire to be similarly actionable.
Draft April 25, 2022 OpenID Board Meeting Notes.docx
Description: Draft April 25, 2022 OpenID Board Meeting Notes.docx
_______________________________________________ board mailing list [email protected] https://lists.openid.net/mailman/listinfo/openid-board
