[Openid-specs-ab] amr vs acr

Nat Sakimura sakimura at gmail.com
Fri May 31 23:53:27 UTC 2013

s/ where acr gives more context to the values of acr. / where acr gives
more context to the values of amr. /

2013/6/1 Nat Sakimura <sakimura at gmail.com>

> I suppose you mean amr, not acm.
> I actually was not aware of amr till now. It seems it was a fairly quick
> decision made between March 4 and 6.
> See
> https://bitbucket.org/openid/connect/issue/789/make-acr-claim-values-be-arrays-of-acr
> At the time, I was so busy managing JICS 2013, so it went unnoticed for
> me.
> I also searched through the list archive, but I cannot find the topic in
> it. There is no record of the decision on the call notes either.
> Mike, could you point us to the record how the WG decision was reached?
> Apparently, amr is the list of authentication methods, while acr is the
> indicator of the identity proofing and authentication quality.
> i.e., amr is just the list of such things like "password", "otp", etc.
> while acr is "InCommons Silver", "ISO29115 LoA 3", etc.
> Personally, I do not see much value in amr since it does not indicate any
> quality information. It may even be harmful when used without context in
> the sense that it may create sense of false security to the relying
> parties. For example, "otp" by itself does not mean it is secure. An OTP
> system with badly managed seed will generate a predictable sequence of "one
> time passwords", which is not secure at all. It would only be meaningful
> when there is an assurance that the system is properly managed. In this
> respect, amr may be meaningful as an auxiliary information only when it is
> used with acr, where acr gives more context to the values of acr.
> I might want to require acr if amr is used, or drop amr, but that is only
> my personal opinion.
> 2013/6/1 Torsten Lodderstedt <torsten at lodderstedt.net>
>> Hi,
>> could someone please describe me the difference between the id token
>> members acr and acm? From my understanding, they are just the same. I'm
>> also interested to learn why the authorization request allows to specify
>> multiple acrs but does not support to specify any authentication method
>> (via acm). Additionally, why is there no way to indicate more than one acr
>> in the id token?
>> Thanks in advance,
>> Torsten.
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en

Nat Sakimura (=nat)
Chairman, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130601/dff3734e/attachment.html>

More information about the Openid-specs-ab mailing list