[Openid-specs-igov] igov spec updated

[Mike Varley]

Hi Phil - on a call back on July 26th we discussed the UserInfo endpoint requirement:
basically we err'd on the side of - Make it a MUST, and privacy conscious ecosystems can just return a 'sub' field with the pairwise anonymous identifier from the id_token (and no other fields - so no new information is actually returned in the UserInfo call). 

Also, we couldn't (at the time) think of scenarios where it would be a SHALL NOT. But we didn't think long on it :)

If there are such scenarios, it's easy to change, we should just include the words to guide implementors on when they shall/should and shall not/should not.

MV




On 2016-08-22, 2:42 PM, "Phil Hunt (IDM)" <phil.hunt at oracle.com> wrote:

>What is the reasoning for making UserInfo a MUST? I can see arguments for making it unavailable. For one many gov scenarios want to make sure tracking is not possible. So there may be scenarios that are SHALL NOT. 
>
>Phil
>
>> On Aug 22, 2016, at 11:09 AM, Mike Varley via Openid-specs-igov <openid-specs-igov at lists.openid.net> wrote:
>> 
>> Hello all - I have updated the igov-profile spec on bitbucket with the following:
>> 
>> - removed authMode parameter
>> - UserInfo endpoint support is now a MUST
>> - client_secret_jwt authentication mode added
>> 
>> And some "scopes" that should help governments in defining profiles for their users, while allowing for cross-jurisdictional introp. And ID. This section will need a lot of discussion I hope - I was deliberately brief.
>> 
>> Attached is an HTML version.
>> 
>> Talk to you tomorrow,
>> 
>> MV
>> 
>> <openid-igov-profile-08-22.html>
>> _______________________________________________
>> Openid-specs-igov mailing list
>> Openid-specs-igov at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-igov
>