[Openid-specs-ab] MTI section in Messages Draft 15

John Bradley ve7jtb at ve7jtb.com
Wed Jan 30 21:41:01 UTC 2013


I understand that from a simplicity point of view only scopes is easier,

Though Google currently stringing together a long list of URI in scopes to represent individual claims is not any more elegent.

This separates the fine grained claims with parameters e.g. age over x  in the request object from the core grain scopes that can't have structure. 

The other issues revolve around needing signed requests for higher LoA (I know most people don't care), the authentication context (though that can be set in registration).

I have always suspected that the request object as MTI would het push back.  

If we were to drop it from MTI then discovery would need to say if the IdP supports it.   I don't think that is the end of the world for IdP who don't care about the addition;l functionality.

However I would want to avoid having people invent other ways to encode claim requests that would not be interoperable.

John B.




On 2013-01-30, at 2:07 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:

> Interesting.  The point of the Request Object is to give RPs control over the information they’re asking for and receiving.  For instance, if all my RP wants is your first name and the Request Object isn’t supported, it would have to use “openid profile” to get your first name, which also comes with middle name, last name, full name, nickname, preferred_username, profile URL, picture URL, website URL, gender, birthdate, time zone, locale, and time last updated.  That seems like overkill and doesn’t minimize disclosure of information to the RP.
>  
> But I understand the simplicity/minimality argument for your position.
>  
> Let’s make this a discussion topic on tomorrow’s call.
>  
>                                                             Thanks,
>                                                             -- Mike
>  
> From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Tim Bray
> Sent: Wednesday, January 30, 2013 8:40 AM
> To: <openid-specs-ab at lists.openid.net>
> Subject: [Openid-specs-ab] MTI section in Messages Draft 15
>  
> I refer to the material in http://openid.net/specs/openid-connect-messages-1_0.html#ImplementationConsiderations
> 
> We’ve been discussing this at some length and probably would not ship a OP conforming to this draft, because our plans do not include support for OpenID Request Objects.  It seems perfectly possible to implement an Internet-scale federated-login system with good interoperability, security, user-experience, and developer-experience properties, entirely without the use of Request Objects.  
> 
> Given this, why are they considered essential for the MTI section?  Absent Request Objects, our chances of shipping a conforming OP are pretty good.
> 
>   -Tim
>  
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130130/b9cfdd0c/attachment-0001.html>


More information about the Openid-specs-ab mailing list