IIW Week, the second week of a three-week whirlwind of events that began with SIDI Hub Tokyo last week, has now come to an end.
OpenID Foundation Workshop
First up is the OpenID Foundation Workshop on Monday afternoon.
As usual, Fujiei-san has already written an article so there is nothing I can add.
After this, there was a board meeting and a dinner for directors. I'll just post the dinner menu here.
IIW 39
IIW is for three days from Tuesday to Thursday. This also overlaps with Fujiei-san's schedule, so it's fine if you read IdM Laboratory.
What doesn't overlap is
- (1-B) OAuth 101 (Aaron)
- (2-B) OpenID Connect 101 (Mike) 1
- (3-A) SD-JWT VC over proximity/offline (Lee, Cam, Torsten, John, Oliver, Kristina Yasuda)
- (6-N) FAPI 101 #openbanking #opendata(Daniel, Joseph, Nat)
- (8-I) Why is the OpenID Foundation hopping right now? An overview of the 14 work groups and community groups on now. (Nat Sakimura + Gail Hodges)
- (9-A) RP Authentication & Authorization (EUDIW) (Torsten Lodderstedt, Giuseppe, Dima)
I don't think there's any need to write about 101 or (8-I), so I'll just briefly write about (3-A) and (9-A).
(3-A) Proximity and Offline Presentation of SD-JWT VC (Lee, Cam, Torsten, John, Oliver, Kristina Yasuda)
SD-JWT VC over proximity/offline
Issue: There is no way to present SD-JWT VC when the wallet is offline.
| Offline (wallet) | Over the internet | |
| mdoc | 18013-5 | OID4VP (incl. Browser API) |
| SD-JWT VC | What do we do here? | OID4VP (incl. Browser API) |
The options that seem to be available are as follows:
| Extend ISO 18013-5deviceRequest | Extend ISO 18013-5OID4VP request | OID4VP over BLE | OID4VP with CTAP | |
| Standard body | ISO? | ISO? | OpenID? | FIDO |
| Device engagement/Channel establishment | QR or NFC | BLE? | QR or NFC | |
| Changes required | Extend deviceRequest/Response | Add OID4VP request / response | None? | NFC needs to be added (Happening anyway for cross device flows) |
| Deployment considerations | Aligned with 18013-5 existing deployments Not aligned with OID4VP online presentation | Aligned with 18013-5 existing deployments Not aligned with OID4VP online presentation | Aligned with OID4VP online presentation and existing CTAP deployments. Not aligned with 18013-5 existing deployments | |
| Feature parity betwen online and offline | N | N | Y | |
| Live implementations | YY | YY? | ? | Y growing VERY fast |
| Format | CBOR | JSON | JSON | |
| Built at | App level | App level | App level | OS or app level |
| Migration | not required | ? | required | required |
| Reliability | Y | Y | N | Y |
| Standard extension in can be done in ISO or outside of ISO | Standard extension in can be done in ISO or outside of ISO | Couldn't use ISO | Secure tunnel between 2 devicesCan send arbitrary Invocation:QR code goes through the cloud; NFC is possible but was teken outQR code + BLE?Future UWB is possibleCTAP is available on almost all Android devices |
OID4VP with CTAPIt looks quite promising.
Considerations
- Bluetooth security and lack of stability
- IPR issues when extending ISO protocols
Topics covered included:
(9-A) RP Certification and Approval (EUDIW) (Torsten Lodderstedt, Giuseppe Di Marco)
RP Authentication & Authorization
Why is RP (Relying Party) Authentication Important?
Establishing a secure relationship with an RP is essential in a digital identity system for the following reasons:
- Ensuring legal transparency (mandated by law)
- To communicate with you as necessary and to carry out legal process
- Ensure that your data requests are appropriately scoped
Authentication and Authorization Mechanism
Handling PID (Personal Identification Data) and EAA (Electronic Attribute Certificate)
- Providers control data access through disclosure policies
- The policy must match the RP's role and authority credentials.
- Help users make informed decisions
Implementation Options
- X.509 Certificates
- OpenID Federation
- Proof using SD-JWT (Selective Disclosure JWT)
Italy's Case: Utilizing OpenID Federation
Italy has adopted a hierarchical trust model:
- Each entity declares its own configuration
- Italian cooperation → EU cooperation: a hierarchical structure
- Chain of trust for real-time policy management
- Trustmark Certification
Distinctive features
- Verifying authenticity with entity ID
- Standardizing the Query Language with DCQL
- Third-party credibility
Issues to consider
Of particular note is the reality that not all RPs have legal personality. For example:
- International Research Collaboration Projects
- Multi-jurisdictional organizations
Other
Of course, there were also side meetings.
- A secret story that can't be revealed now (Wednesday night)
- Regarding EUDIW sub value etc. (Thursday)
- CFPB response meeting with FAPI Co-Chair Anoop Saxana (Thursday evening)
- Dinner meeting about BGIN (Thursday night)
- Meeting with Drummond Reed about the Global Acceptance Network (Friday Breakfast Meeting)
- Meeting with Edmund Jay (Friday afternoon)
- etc
I was the last person to leave IIW this time. Here's the photo as proof.
While I was having a remote meeting with Anoop, everyone went out for a beer.
See you next week!