March 6, 2019 OpenID Board Meeting Minutes Present: Don Thibeau, Executive Director Mike Jones John Bradley Nat Sakimura Adam Dawes Takao Kojima Bjorn Hjelm
Present on the Phone: George Fletcher Dale Olds Absent: Amit Dhingra Takehisa Shibata Visitors: Mike Leszcz, OIDF Tom Smedinghoff, Locke Lord LLP 1. Welcoming New Members Janrain just rejoined as a sustaining member. (They have not yet appointed a board representative.) 2. Certification Program Update The certification program expansion to include FAPI certification starting on April 1st and new pricing was announced at https://openid.net/2019/02/21/openid-certification-program-expansion-and-fee-update/. The new pricing is intended to put the certification program on a self-funding basis. Nov Matake has updated the certification management code to be ready for this. The Open Banking Implementation Entity (OIBE) plans to pre-purchase 15 FAPI certifications for their members. That money will help the OpenID Foundation fund the launch of FAPI certification. We have added several new certification contractors to the team. That means there is backup for all roles. We are on track for the April 1st launch of FAPI Core certifications. The availability of third party login tests has been announced to the OpenID Connect working group. This tests the functionality specified in https://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin, which enables another party to request that an RP log in with an OP. (This provides functionality that can be used in the same use cases as SAML IdP-initiated login.) To date, Mike Jones isn't aware of anyone having tested them yet. A decision has also been made to progress the Form Post Response Mode tests from pilot to production status. Roland Hedberg is working on certification tests for the three logout specifications (Session Management, Front-Channel Logout, and Back-Channel Logout) plus RP-Initiated Logout. They should be ready for people to start testing within a few weeks. 3. Libraries Program Update We plan to use directed funding to bootstrap the libraries program. The initial libraries are OpenID Connect RP implementations in Python, Java, and JavaScript. These are branded "JWTConnect". We want to be confident that these libraries will be well-maintained and have resources behind them. These particular libraries are projects of the OpenID Connect working group. Don reported on how both the Linux Foundation and the Apache Foundation develop and govern libraries. For instance, in the Linux foundation, libraries become a distinct project with distinct funding. Like the OpenID Foundation, the Apache Foundation works hard to protect its brand. We want there to be a maintenance team for each library. For instance, the Python JWTConnect libraries have a team of maintainers who review pull requests, etc. It's not just a single developer. George suggested that we should refine the working group processes for maintaining their libraries. For instance, apparently one of the AppAuth libraries needs a new maintainer. Mike Jones stated that he doesn't want us to be paying maintainers by default, although he's OK with us making business decisions to do so on a case-by-case basis. Among other considerations, employees of some companies are prohibited from taking outside money for projects that are also part of their day jobs. We already have a Contribution License Agreement (CLA) for contributing code to working groups. Working groups are our IPR containers both for specifications and for code. We agreed that we don't want to create a new IPR container because that would take both significant time and money. We agreed that describing best practices for managing library projects would be beneficial. Nat suggested that Adam lead a committee to draft some of this. Adam pointed out that there is a whole range of possibilities. He used the analogy "How much does a house cost? It depends upon what kind of house you want." We all agreed that there will have to be community and member buy-in for any specific library project to be successful. Action Item: The board asked Adam, in conjunction with George and Don, to create concrete recommendations for how library projects should be managed and to report those recommendations at the next board meeting. We touched on the possibility of eventually adding other kinds of libraries to the libraries program. We agreed that we should walk before we try to run - initially demonstrating that we are successfully managing libraries for strategic OpenID specifications before we consider taking on other kinds of libraries. 4. Federation Initiative Update The Federation draft has been updated by Roland Hedberg and Andreas Solberg to address review feedback received. Working group review of the current draft is being solicited. Roland will be presenting about the state of the federation work at the TNC19 conference in Estonia in June. We hope to have a stable well-reviewed specs by that point, leading to prototype implementations and interop testing. 5. Liaison Update New FinTech liaisons are in process with the Financial Data Exchange (US banks) and the Financial Data and Technology Association (a global organization). We plan to do a joint whitepaper with the FDX. 6. Account Chooser At the last Executive Committee call, Adam suggested that we plan for orderly deprecation of accountchooser.com and shutting down the Account Chooser working group. He communicated this proposal to the Account Chooser working group to seek comments. No one objected to the plan. Adam described ways in which the working group's ideas have positively employed real deployments. John pointed out that the W3C Credential Manager API also accomplishes a lot of what Account Chooser wanted to enable. John said that we could put a positive spin on the closing of the working group by pointing out that much of the working group's mission was accomplished, albeit, by influencing others, rather than directly. 7. Upcoming Calendar Highlights There will be an OpenID Workshop at Verizon Media on April 29th (the day before IIW). There is an OpenID Workshop on May 14th and a board meeting on May 15th at EIC. 8. Financial Update We are on sound financial ground. We have funding for all the planned initiatives for this year, plus a reserve fund. 9. Membership We are slowly gaining members but we are susceptible to ongoing consolidation in the identity industry. 10. RISC Production Deployment Adam reported that Google deployed Risk and Incident Sharing and Coordination (RISC) to production in February. They are actively sending signals to multiple other parties, including Adobe. They use a click-through legal contract. The OIDF plans to make a blog post about this.
March 6, 2019 OpenID Board Meeting Minutes.docx
Description: March 6, 2019 OpenID Board Meeting Minutes.docx
_______________________________________________ board mailing list bo...@lists.openid.net http://lists.openid.net/mailman/listinfo/openid-board
