[{"author": "Aaron Parecki", "text": "<p>Day 3 here we go!</p>", "time": "2023-11-10T12:02:31Z"}, {"author": "Justin Richer", "text": "<p>Token buckets: <a href=\"https://www.ietf.org/archive/id/draft-richer-wimse-token-container-00.html\">https://www.ietf.org/archive/id/draft-richer-wimse-token-container-00.html</a></p>", "time": "2023-11-10T12:14:16Z"}, {"author": "Aaron Parecki", "text": "<p>FYI we are 13 minutes behind schedule now</p>", "time": "2023-11-10T12:33:56Z"}, {"author": "Brian Campbell", "text": "<p>:)</p>", "time": "2023-11-10T12:35:28Z"}, {"author": "Aaron Parecki", "text": "<p>congrats Pieter, we made up 5 minutes on the schedule</p>", "time": "2023-11-10T12:50:36Z"}, {"author": "John Andersen", "text": "<p>In this model, couldn't the AS be within the client? Since we already trust it due to it's attestation result?</p>", "time": "2023-11-10T12:56:55Z"}, {"author": "John Andersen", "text": "<p>Not always, just as an option. Or does that break some guarantees I'm not seeing</p>", "time": "2023-11-10T12:58:05Z"}, {"author": "Justin Richer", "text": "<p>attestation shouldn't be authentication</p>", "time": "2023-11-10T13:04:28Z"}, {"author": "Justin Richer", "text": "<p>we should allow attestation on endpoints that also authenticate the client</p>", "time": "2023-11-10T13:04:48Z"}, {"author": "Jacob Ideskog", "text": "<p>I strongly agree :)</p>", "time": "2023-11-10T13:04:56Z"}, {"author": "Aaron Parecki", "text": "<p>that is what I keep saying</p>", "time": "2023-11-10T13:05:52Z"}, {"author": "Jacob Ideskog", "text": "<p>in mobile scenarious attestation is a provenance proof and sometimes more. but that doesn't note equate client authentication. Proving that the app is the right app,  serves the same function as the redirect URI does in the code flow (to some extent)</p>", "time": "2023-11-10T13:07:08Z"}, {"author": "George Fletcher", "text": "<p>Section 9.8 explicitly calls out that it is NOT RECOMMENDED to leverage this draft for SPAs</p>", "time": "2023-11-10T13:26:44Z"}, {"author": "Jacob Ideskog", "text": "<p><span class=\"user-mention\" data-user-id=\"690\">@Kristina Yasuda</span> the one authenticator to use for third-party apps is for sure passkeys.<br>\n<span class=\"user-mention\" data-user-id=\"980\">@John Bradley</span> another \"challenge\" is that the AS needs to whitelist the applications in the well-known for the web-credentials, smaller issue, but more than just registering the app</p>", "time": "2023-11-10T13:38:33Z"}, {"author": "Jacob Ideskog", "text": "<p>forgive me for my ignorance, but doesn't the OIDC Backchannel Logout specification talk about how the OP tells the RPs to logout, I don't remember it having a mechanism for a client to request a logout at the OP?</p>", "time": "2023-11-10T14:00:58Z"}]