[Openid-specs-igov] iGov Notes

Justin Richer jricher at mit.edu
Tue Jul 11 15:59:18 UTC 2017


I spent some time reading through the documents and had a few comments:

OAuth:
 - §2.1.3 should come earlier in the document, maybe even as its own upper-level section such as §2.1, shifting everything else down
 - §2.1.3.3 prohibits use of implicit or browser based clients, but other parts of the document reference these flows. Also this paragraph is very long and detailed for something that’s prohibited.
 - §2.1.5 says that all clients must have keys until the end where it says one exception. This can probably be rearranged to be more clear.
 - §3.3 should mention PKCE parameters
 - §3.6 is about protected resource and should go under §4 someplace

OIDC:
 - §2.1 “prompt” parameter with a single value is overly restrictive, requirement should be removed or justified (I suggest removed — it’s not explained and I don’t see a good reason for it anyway)
 - §3.1 should more strongly encourage subject to be pairwise, with a forward note to privacy considerations
 - §3.1 optionality of nonce is not specified 
 - §3.6 vot discovery claim is unspecified. Suggest that we include and reference trustmark claims from VoT section 6
 - §4.2 The scopes and their resulting claims need more explanation and examples. We need a data model and schema. If someone asks for “bio” do I respond with:
	“height”: “5’11”
or
	“height”: 180
or
	“tallness”: true
 - §5 the last paragraph needs to be removed or rewritten. Here we just want to justify why pairwise is a good idea — so explain that, don’t add more non-requirements.

 — Justin


More information about the Openid-specs-igov mailing list