06 January 2025

Attendees

  • Brian McInnis, Long Tailed Leopard

  • Christian Paquin, Microsoft

  • Daniel Zellmer, Noosphere Technologies

  • Eric Scouten, Adobe

  • Gavin Peacock, Adobe

  • Hans Granqvist, Noosphere

  • Jeremy Uzan, Universal Music

  • Makki Elfatih, HKDolts

  • Michael Klein, Adobe

  • Nigel Earnshaw, BBC

  • Peleus Uhley, Adobe

  • Philippe Mougin, AFP

  • Philippe Rixhon, JPEG Trust

  • Richard W. Kroon, EIDR

  • Scott Perry, Digital Governance Institute

  • Tim Cappalli, Okta

Meeting notes

New members introduction

  • 🎥 1'07": Philippe Mougin, AFP

Schedule / logistical announcements

🎥 4'05": Schedule updates affecting meetings later this month.

  • 20 January 2025 postponed to 21 January 2025 (US MLK holiday)

  • 27 January 2025 rescheduled for APAC time

    • 1800 US Pacific (Monday)

    • 0200 UTC (Tuesday 28 Jan)

    • 0730 India (Tuesday)

    • 1300 Sydney, Australia (Tuesday)

Review previous action items

🎥 5'25": Reviewed action items from previous two meetings.

From 16 December 2024 meeting

All PRs updated, issues closed as per previous meeting. PR 203 will be discussed later.

From 03 December 2024 meeting

  • ACTION: Eric to review current revocation mechanisms and draft a PR describing at least one preferred revocation mechanism. → DONE: See PR #204 on today’s agenda.

  • ACTION: Eric to follow up on feedback provided by Philippe on more concrete examples for how constrained might be defined in training and data mining assertion. → TRACKING: Filed as issue #7: Provide a better definition of constrained.

PR #203: Add optional method field for describing the technique used to verify account/URI control

🎥 6'36": Reviewed PR #203: Add optional method field for describing the technique used to verify account/URI control.

PR Overview: Eric described the PR as focusing on improving transparency in how the identity claims aggregator verifies identity signals, including editorial changes and renaming verification methods for clarity.

Verification Methods: Since the last meeting, Eric renamed two fields to provide clearer descriptions of the techniques used.

Security Concerns: Peleus raised concerns about the security of using meta tags for verification, noting that while it is a standard method, it may be susceptible to attacks. Eric acknowledged the trade-offs between accessibility and security.

Name Confusion: The roles played by identity claims aggregator, identity provider, and named actor are not immediately clear to people reading this spec.

ACTION: Eric to revise PR to:

  • Look for a more generic "federated authentication" name than the existing cawg.oauth2. (Review discussion at 🎥 18'40".)

  • Clarify which identity signals are self-asserted (DNS, meta tag, etc.) vs asserted by a third party (e-mail, federated). (Review discussion at 🎥 18'40" in which Tim introduces the concept of direct vs delegated verification.)

  • Clarify who is the identity provider in the third party cases. (Review discussion at 🎥 28'38".)

ACTION: Brian McInnis to add a cawg.webauthn option. (This can be a separate PR.)

PR #204: Add section on credential status / revocation

🎥 30'47": Reviewed new PR #204: Add section on credential status / revocation.

ACTION: Eric to create new PR to contemplate maximum lifetime of verifications? (Review discussion at 🎥 32'21".)

New PR so we’ll discuss further next week.

PR #205: Finalize URI for ICA context and schema

🎥 36'05": Reviewed new PR #205: Finalize URI for ICA context and schema.

ACTION: (✅) Eric to merge PR 205.