From fa8fd9ee2a6b2416a7611eeb6d599683fdbdd753 Mon Sep 17 00:00:00 2001
From: "Dean H. Saxe - AWS Identity"
 <33666281+dhs-aws@users.noreply.github.com>
Date: Tue, 16 Apr 2024 07:53:56 -0700
Subject: [PATCH] Agenda for April 16 meeting

---
 notes/20240416.md | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 notes/20240416.md

diff --git a/notes/20240416.md b/notes/20240416.md
new file mode 100644
index 0000000..42f51ea
--- /dev/null
+++ b/notes/20240416.md
@@ -0,0 +1,22 @@
+**Agenda & Notes for April 16 2024**
+
+* Welcome
+  * "Token exchange: Specify a protocol for exchanging an incoming token of one format for a workload-specific WIMSE token at security boundaries (possibly based on RFC 8693). Additionally, this token exchange will require specifying as proposed standard a small set of token exchange profiles (mapping of claims) between existing and new WIMSE token formats." [WIMSE Charter](https://datatracker.ietf.org/doc/charter-ietf-wimse/)
+  * Weekly meetings - confirm meeting time works for everyone for the next few months, Dean to send out a meeting invitation
+  * Confirm everyone has access to [GitHub repo](https://github.com/dhs-aws/wimse-token-exch-design-team/)
+  * Weekly meeting notes to be stored in GitHub under the /notes folder
+  * Interim meeting scheduled for May 22 10:30 AM EDT (GMT-4).  Need a volunteer to lead the token exchange discussion since I'll be working from Osaka
+
+* Intro from Evan - token exchange issues, considerations in SPIFFE, [draft use cases](https://datatracker.ietf.org/doc/draft-gilman-wimse-use-cases/)
+* Getting Things Done - Workstreams
+  * Use Case development
+    * build off Evan's [draft use cases](https://datatracker.ietf.org/doc/draft-gilman-wimse-use-cases/)
+    * Token translation - SPIFFE to JWT, JWT to SPIFFE, etc.
+      * Do we know all the token types we wish to convert between?
+      * Or do we want to build a generic token translation mechanism and then profiles for X to Y, Y to Z, etc.?
+    * User mapping across domains - How does Workload User A at MSFT translate to a user in AWS/GCP?
+      * Do we need SCIM for both user and workload identities?
+      * How do we avoid static mappings which are hard to maintain in large environments?
+  * Security Considerations development
+    * Look into the [CSRB report on Microsoft](https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf) - can we reduce the risk of stolen signing keys/tokens?
+  *