[Openid-specs-ab] Issue #1229: Adoption of the "OpenID Connect for W3C Verifiable Credential Objects" (openid/connect)

Tom Jones thomasclinganjones at gmail.com
Mon May 10 21:52:57 UTC 2021


thanks alex and nat - i was able to include your input with stuff i had
already collected. It turns out that OIDC claims (note the usage) that
"claim" is defined in RFC 7519 and then has a range of conflicting use
cases.  The point isn't that one is better, but that no one seems to agree,
even within the usage of a single document.

Credential has the same problem, only worse.  As I understand the current
best practice, credentials providing identifier information should never be
provided to by the user (which is the much derided password use case). Now
credentials are to be held by the user and only proof of possession is to
be provided to the relying party. After all, any information that is
shared, even by two parties, is no longer a secret. If we are to move
forward to a more secure credential, they must never be exposed by the user
under any circumstance.

https://tcwiki.azurewebsites.net/index.php?title=Claim

Be the change you want to see in the world ..tom


On Mon, May 10, 2021 at 11:28 AM Nat Sakimura <nat at nat.consulting> wrote:

> Tom,
>
> "claim" is a defined term in OIDC Core 1.0.
>
> Best,
>
> Nat
>
> On Tue, May 11, 2021 at 1:29 AM Tom Jones via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
>> I have a problem when using ccg definitions with the existing standards.
>> This is openID not ccg.
>>
>> I don't believe that your definition of claim matches the existing use in
>> computer security or in common language.  Per m-w
>> a: a right to somethingspecifically : a title to a debt, privilege, or
>> other thing in the possession of anotherThe bank has a claim on their
>> house.
>> b: an assertion *open to challenge*a claim of authenticityadvertisers'
>> extravagant claims
>>
>> Be the change you want to see in the world ..tom
>>
>>
>> On Mon, May 10, 2021 at 9:00 AM David Chadwick via Openid-specs-ab <
>> openid-specs-ab at lists.openid.net> wrote:
>>
>>> We do not need to provide definitions as they already exist in the W3C
>>> VC Data Model Recommendation, so we can simply reference them. They are:
>>>
>>>
>>> claim An assertion made about a subject
>>> <https://www.w3.org/TR/vc-data-model/#dfn-subjects>. credential A set
>>> of one or more claims <https://www.w3.org/TR/vc-data-model/#dfn-claims>
>>> made by an issuer <https://www.w3.org/TR/vc-data-model/#dfn-issuers>. A verifiable
>>> credential is a tamper-evident credential that has authorship that can
>>> be cryptographically verified.
>>>
>>> You will note that the W3C recommendation does not say anything about
>>> what the assertion may be, but if you look it up in a dictionary you will
>>> get something like
>>>
>>> Assertion - a positive statement or declaration, often without support
>>> or reason
>>>
>>> Please tell me what is unclear about the above
>>>
>>> Kind regards
>>>
>>> David
>>>
>>>
>>> On 10/05/2021 16:36, Tom Jones via Openid-specs-ab wrote:
>>>
>>> And I find the lack of clarity to be extremely rude and disrespectful of
>>> any sort of meaningful conversation about the issues. If you have a better
>>> definition of claim, please let us hear it.
>>>
>>> thx ..Tom (mobile)
>>>
>>> On Mon, May 10, 2021, 8:28 AM Oliver Terbu via Openid-specs-ab <
>>> openid-specs-ab at lists.openid.net> wrote:
>>>
>>>> This is another example of an extremely rude and disrespectful tone by
>>>> the same person:
>>>>
>>>> "I want clarity of language. Right now we just have a claim = some crap
>>>> and credential = a pile of crap."
>>>> http://lists.openid.net/pipermail/openid-specs-ab/2021-May/008233.html
>>>>
>>>> Oliver
>>>>
>>>> On Mon, 10 May 2021 at 14:39, Kristina Yasuda via Openid-specs-ab <
>>>> openid-specs-ab at lists.openid.net> wrote:
>>>>
>>>>> Thank you, Nat.
>>>>>
>>>>> As promised, I wanted to outline the relationship between "OpenID
>>>>> Connect for W3C Verifiable Credential Objects" (OIDC4VCO) draft and other
>>>>> existing drafts. (point 2 in this issue)
>>>>> ※ Note that there was a proposal to rename the draft  "OpenID Connect
>>>>> for W3C Verifiable Presentations", but I will use OIDC4VCO abbreviation
>>>>> for now.
>>>>>
>>>>>
>>>>>    - Relationship with OpenID Connect Core: OIDC4VCO uses mechanisms
>>>>>    already defined in OIDC Core, and does not introduce any breaking changes.
>>>>>    - Relationship with SIOP V2 draft: SIOP V2 draft will refer to the
>>>>>    OIDC4VCO draft wrt how W3C verifiable presentations (VPs) can be
>>>>>    transported using SIOP model, since OIDC4VCO draft defines a generic way
>>>>>    how W3C VPs can be used with various OIDC flows including SIOP V2.
>>>>>    - Relationship with Claims Aggregation draft (and Credential
>>>>>    Provider draft once contributed): these drafts will be used by the OP to
>>>>>    receive credentials from the Claims Provider, so that the OP will be able
>>>>>    to present received credentials to the RP using OIDC4VCO draft. These
>>>>>    drafts should be aligned as much as possible.
>>>>>    - Relationship with DIF Presentation Exchange (PE) draft: DIF PE
>>>>>    draft could be used as part of the request syntax in OIDC4VCO draf, which
>>>>>    can be discussed once OIDC4VCO draft is adopted. DIF PE is a query language
>>>>>    that is protocol agnostic, and it does not replace OIDC4VCO draft.
>>>>>
>>>>> This is an initial summary and additional input from the
>>>>> editors/working group is very welcome.
>>>>>
>>>>> A work item to enable transporting W3C VPs using OpenID Connect, will
>>>>> most likely not be successful outside OpenID Foundation AB/C Working Group,
>>>>> because that is where the collective OpenID Connect expertise
>>>>> resides.
>>>>>
>>>>> Best,
>>>>> Kristina
>>>>>
>>>>>
>>>>> ------------------------------
>>>>> *差出人:* Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> が
>>>>> Nat via Openid-specs-ab <openid-specs-ab at lists.openid.net> の代理で送信
>>>>> *送信日時:* 2021年5月7日 0:55
>>>>> *宛先:* openid-specs-ab at lists.openid.net <
>>>>> openid-specs-ab at lists.openid.net>
>>>>> *CC:* Nat <issues-reply at bitbucket.org>
>>>>> *件名:* [Openid-specs-ab] Issue #1229: Adoption of the "OpenID Connect
>>>>> for W3C Verifiable Credential Objects" (openid/connect)
>>>>>
>>>>> New issue 1229: Adoption of the "OpenID Connect for W3C Verifiable
>>>>> Credential Objects"
>>>>>
>>>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fissues%2F1229%2Fadoption-of-the-openid-connect-for-w3c&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7C546f6f574aa946624ea408d910a766d3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637559134036105710%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=v8JUcUVcU4A%2FlkpyB43J2%2B9DB9axNOyOGjmQAe5GU58%3D&reserved=0
>>>>>
>>>>> Nat Sakimura:
>>>>>
>>>>> SIOP SC recommended the adoption of “[OpenID Connect for W3C
>>>>> Verifiable Credential Objects](
>>>>> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.openid.net%2Fpipermail%2Fopenid-specs-ab%2Fattachments%2F20210505%2Fa198527a%2Fattachment-0001.pdf&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7C546f6f574aa946624ea408d910a766d3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637559134036105710%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=LdCCcQ1tptJ290hqLdPsJdDWACLjeswgOwEKvhBi%2FyM%3D&reserved=0)”
>>>>> \[1\] as a working group item.
>>>>>
>>>>> \[1\] [
>>>>> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.openid.net%2Fpipermail%2Fopenid-specs-ab%2Fattachments%2F20210505%2Fa198527a%2Fattachment-0001.pdf&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7C546f6f574aa946624ea408d910a766d3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637559134036115666%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=38hwxalY%2FRk1ypItq%2Bnxnhd26OE4uUJ79XUm1T8DVNw%3D&reserved=0](https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.openid.net%2Fpipermail%2Fopenid-specs-ab%2Fattachments%2F20210505%2Fa198527a%2Fattachment-0001.pdf&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7C546f6f574aa946624ea408d910a766d3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637559134036115666%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=38hwxalY%2FRk1ypItq%2Bnxnhd26OE4uUJ79XUm1T8DVNw%3D&reserved=0
>>>>> )
>>>>>
>>>>> Some concerns were expressed by a few WG members.
>>>>>
>>>>> This ticket is to give an opportunity for those members to express
>>>>> their concerns and proposers to reply to them.
>>>>>
>>>>> There are a few criteria for non-adoption of documents: namely
>>>>>
>>>>> 1. If the draft does not fall into the scope of the WG.
>>>>> 2. If the draft is overlapping with existing drafts, the technical
>>>>> content should be raised as an issue and eventually result in PR rather
>>>>> than starting a new draft.
>>>>>
>>>>>     1. NOTE: A non-overlapping portion can be made as an independent
>>>>> document so proposers should consider creating such.
>>>>>
>>>>> 3. If there is a legal or reputational risk for the OIDF in adopting
>>>>> the document. \(The board may intervene on this ground.\)
>>>>>
>>>>> If the issues are only on the technical nature of the proposed draft
>>>>> that does not fall into the above criteria, then, it should be dealt with
>>>>> during and after the adoption of the document.
>>>>>
>>>>>>>>>>
>>>>> _______________________________________________
>>>>> Openid-specs-ab mailing list
>>>>> Openid-specs-ab at lists.openid.net
>>>>>
>>>>> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.openid.net%2Fmailman%2Flistinfo%2Fopenid-specs-ab&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7C546f6f574aa946624ea408d910a766d3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637559134036115666%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=zj60E0N480Cv0Pqtne%2FbRk%2FOu8%2BJ8toFtZ6kNncNnHY%3D&reserved=0
>>>>> _______________________________________________
>>>>> Openid-specs-ab mailing list
>>>>> Openid-specs-ab at lists.openid.net
>>>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>>>
>>>> _______________________________________________
>>>> Openid-specs-ab mailing list
>>>> Openid-specs-ab at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>>
>>>
>>> _______________________________________________
>>> Openid-specs-ab mailing listOpenid-specs-ab at lists.openid.nethttp://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>
>
> --
> Nat Sakimura
> NAT.Consulting LLC
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210510/c548a5aa/attachment-0001.html>


More information about the Openid-specs-ab mailing list