[Openid-specs-ab] Review of openid-connect-4-identity-assurance-04

Tom Jones thomasclinganjones at gmail.com
Sat Jun 15 01:49:24 UTC 2019


So these statements are in 800-63-3. It seems clear that the claimant could
present claims that were not {validated, attested, verified, registered,
whatever}
* SP 800-63A sets requirements to achieve a given IAL. The three IALs
reflect the options agencies may select from based on their risk profile
and the potential harm caused by an attacker making a successful false
claim of an identity.
* A digital identity is always unique in the context of a digital service,
but does not necessarily need to uniquely identify the subject in all
contexts. In other words, accessing a digital service may not mean that the
subject’s real-life identity is known. Identity proofing establishes that a
subject is who they claim to be. Digital authentication is the process of
determining the *validity of one or more authenticators used to claim* a
digital identity
Peace ..tom


On Fri, Jun 14, 2019 at 1:29 PM Anthony Nadalin <tonynad at microsoft.com>
wrote:

> It sure is look at ISO documents and NIST documents
>
> Get Outlook for Android <https://aka.ms/ghei36>
>
> ------------------------------
> *From:* Tom Jones <thomasclinganjones at gmail.com>
> *Sent:* Friday, June 14, 2019 12:56:00 PM
> *To:* Artifact Binding/Connect Working Group
> *Cc:* Mike Jones; Torsten Lodderstedt; Anthony Nadalin
> *Subject:* Re: [Openid-specs-ab] Review of
> openid-connect-4-identity-assurance-04
>
> Tony: that's not the real world meaning of claim. A claim of title is not
> a title. It is only a title when it is recognized and registered. So a more
> historically accurate term would be a registered claim.
>
> thx ..Tom (mobile)
>
> On Fri, Jun 14, 2019, 9:48 AM Anthony Nadalin via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
>> It’s not a claim then, it’s a statement, it does not matter who has the
>> claim, the issuer or the beholder, it’s still in doubt. I don’t understand
>> enough of the “verified” statement since the language is vague in the
>> specification, is it the provenance of the data or the truth of the data ?
>>
>>
>>
>> *From:* Mike Jones <Michael.Jones at microsoft.com>
>> *Sent:* Friday, June 14, 2019 9:45 AM
>> *To:* Anthony Nadalin <tonynad at microsoft.com>; Artifact Binding/Connect
>> Working Group <openid-specs-ab at lists.openid.net>; Torsten Lodderstedt <
>> torsten at lodderstedt.net>
>> *Subject:* Re: Review of openid-connect-4-identity-assurance-04
>>
>>
>>
>> A claim is a statement made by the issuer. A verified claim is one with
>> evidence backing it beyond the veracity of the issuer.
>>
>> Doubt or belief are both properties of the beholder - not the issuer.
>>
>> -- Mike
>> ------------------------------
>>
>> *From:* Anthony Nadalin
>> *Sent:* Friday, June 14, 2019 6:44:29 PM
>> *To:* Artifact Binding/Connect Working Group; Torsten Lodderstedt
>> *Cc:* Mike Jones
>> *Subject:* RE: Review of openid-connect-4-identity-assurance-04
>>
>>
>>
>> A claim is something in doubt, how can you have a verified claim?
>>
>>
>>
>> *From:* Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> *On
>> Behalf Of *Mike Jones via Openid-specs-ab
>> *Sent:* Friday, June 14, 2019 8:42 AM
>> *To:* Torsten Lodderstedt <torsten at lodderstedt.net>
>> *Cc:* Mike Jones <Michael.Jones at microsoft.com>;
>> openid-specs-ab at lists.openid.net
>> *Subject:* Re: [Openid-specs-ab] Review of
>> openid-connect-4-identity-assurance-04
>>
>>
>>
>> I agree with "verified_claims".
>>
>> Thanks!
>>
>> -- Mike
>> ------------------------------
>>
>> *From:* Torsten Lodderstedt <torsten at lodderstedt.net>
>> *Sent:* Friday, June 14, 2019 5:47:17 PM
>> *To:* Mike Jones
>> *Cc:* Daniel Fett; openid-specs-ab at lists.openid.net
>> *Subject:* Re: Review of openid-connect-4-identity-assurance-04
>>
>>
>>
>> Hi Mike,
>>
>> Thanks a lot for your substantial feedback.
>>
>> While I'm incorporating it, I would like to sort out one question:
>>
>> > On 1. Jun 2019, at 02:16, Mike Jones <Michael.Jones at microsoft.com>
>> wrote:
>> >
>> > All Sections:  Generalize kinds of verified claims.  The most important
>> issue is to generalize the goal of the document from defining how to use
>> “verified person data” to defining how to use “verified data”.  This work
>> isn’t happening in a vacuum.  There are other efforts to define
>> representations of verified claims in the industry, including
>> https://w3c.github.io/vc-data-model/, that take this more general
>> approach, but propose much more complicated data representations that are
>> not based on JWTs.  It would be highly beneficial to have a simple general
>> JWT-based “verified data” representation that is general-purpose.  Indeed,
>> that’s the possibility that excites me about this work.  Don’t get me wrong
>> – I believe that all the particulars for verified people data can and
>> should remain.  The main concrete change needed is to rename
>> “verified_person_data” to “verified_data”.
>>
>> I think “verified_claims” would fit even better. What do you think?
>>
>> best regards,
>> Torsten.
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.openid.net%2Fmailman%2Flistinfo%2Fopenid-specs-ab&data=02%7C01%7Ctonynad%40microsoft.com%7Cc0b190309bb142bc31df08d6f1025a7b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636961389757361746&sdata=CWslAGBkNNR%2FtK9MGiEBOpOmInmd0jfZiFTEEwEKWg0%3D&reserved=0>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190614/5b3f0982/attachment-0001.html>


More information about the Openid-specs-ab mailing list