[Openid-specs-igov] iGov Meeting Notes 2016-08-23

Sarah Squire sarah at engageidentity.com
Tue Aug 23 15:53:01 UTC 2016


Attending:

John Bradley

Adam Cooper

Paul Grassi

Justin Richer

Mike Varley

Sarah Squire

Nat Sakimura

Mike went over his changes to the spec. He didn’t add anything about
holder-of-key or token binding. He did work on defining some scopes that
may be interesting for cross-jurisdiction use cases. “Authmode” was removed
from authorization request. It’s just a prompt field for now. There’s some
talk about using account chooser. Inclusion of the userinfo endpoint was
changed to a MUST because if necessary, it can only provide a pseudonymous
identifier. We should probably add that reasoning to the text.

In the use case document, there is some stuff about required attributes in
the userinfo endpoint. We should talk about that.

Does it make sense to have a “privacy considerations” section about what we
expect a privacy-preserving userinfo endpoint to do? Yes, let’s do that. We
can talk about how identifiers are created too.

Do we want to reference metadata claims from connect core? Yes, but we’ll
also want to define some sets that are specific to our use cases like
documents and biometrics.

How do we define a minimum set of claims? Well, not every identity provider
is going to have every claim. We need to make sure that we’re not
inadvertently making them incompatible because they didn’t collect the
right information. The relying party should always be prepared to get less
than it asked for. UK mandates name, date of birth, and place of birth.

Is there anything in the discovery spec that describes the claims available
at the userinfo endpoint? There has been discussion about putting in
information about additional claims, but nothing beyond that. There isn’t
anything that says “I support this claim, but not that claim.”  There is
claim support, but it was intended for extensions. It could be used for
this. And we have to be clear that just because a claim is supported
doesn’t mean it’s available for all subjects.

Should we say that it’s required to publish your claim schema? Yes. Let’s
go with it for now, and see if we get pushback from anyone.

Should we say there’s a recommended minimum claim set to allow for
matching? We might want to add “place of birth” scope to the core connect
profile. UK has also found history of name and address to be helpful in
matching. Paul will look at what the standard bundles are in the US.

Another thing to consider is that the OIDC userinfo profile was designed to
transmit self-asserted data. We may want to transmit information about how
well vetted the attributes are. Do we allow every trust framework to do
their own standard of proofing? Or do we want to reduce the number of
attributes by allowing metadata for attribute vetting? We will need an
attribute level - how well was this person proofed? And an assertion level
- how sure are we that this attribute is accurate?

There is a NISTIR (NIST Internal Report 8112 Attribute Metadata
<https://pages.nist.gov/NISTIR-8112/NISTIR-8112.html>) on metadata about
attributes.

Mike will add some text about VoT and why it’s important. It would be in
the idtoken because it is about the authentication transaction.

We should talk about discovery and webfinger. We’ll add issues to the
bitbucket and talk about it on email.

We talked about account chooser as one way of doing discovery and using
token binding for maintaining LOA 4 across agencies with idtokens, which
the EAP working group is also working on.

How would account chooser work on Day 1? The static javascript would
introspect the local HTML 5 storage and give them a list of account
options. “Bring your own NASCAR.” It’s not a replacement for webfinger.
It’s possible the user would have a new browser. At that point you’d fall
back to webfinger.

Sarah Squire
Engage Identity
http://engageidentity.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-igov/attachments/20160823/954e4a52/attachment-0001.html>


More information about the Openid-specs-igov mailing list