[Openid-specs-risc] Fwd: Multi subject discuss?

Marius Scurtescu mscurtescu at google.com
Wed Dec 13 00:34:37 UTC 2017

Comments inline...

On Tue, Dec 12, 2017 at 9:18 AM, Phil Hunt via Openid-specs-risc <
openid-specs-risc at lists.openid.net> wrote:

> It has been raised by marius on the secevents list that multi subjects in
> risc sets is a requirement which has not been discussed here.
> As we have not discussed this, I propose we do so.
> I have grave concerns about possible privacy implications particular if
> third party security providers are involved.
Agreed. The privacy implications are not major, but definitely a concern.
Keep in mind that a transmitter will send only subjects that have already
been disclosed to a receiver in a correlatable mode (Id Token or UserInfo
API). The concern is that now this information is sent on a new channel and
chances that correlated identifiers will be exposed increases.

I believe for any stream, transmitters and receivers must negotiate a
> single subject identifier to use. This can become a requirement for config
> eg as an extension to stream config
Yes, I also think that stream configuration should allow receivers to
specify the identifier they want to use and this would eliminate the need
to send multiple ones.

But, in some cases receivers might not be able to specify only one
identifier and the possibility to send multiple could still be needed.

For example, an RP might accept email or phone number as main account
identifiers and when receiving an Id Token or SET the logic could be to try
email first and if that fails then try phone number.


Ps i also support single profile option in stream config per discussion
> with annabelle.
> You mean that Annabelle also supports a stream config to specify one
subject identifier (confused by "profile", typo?).

> I also support a standard subject claim but because of issues like multi
> subject, i do not support it being part of the main set draft.
> To me it is critical to be in the main set draft. That would allow us to
also add the subject type to the stream config and have one standard way to
refer to subject types.

> I think standard subject is also useful for access tokens/id tokens and
> may pave the way for single subject sets in risc.
> I am not sure about access tokens and id tokens. Id tokens already have
well defined way to refer to subjects. Trying to come up with a generic
solution for JWT would take a very long time and for secevent
implementation it is critical to have a common subject ASAP.

> Best,
> Phil
> _______________________________________________
> Openid-specs-risc mailing list
> Openid-specs-risc at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-risc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20171212/b0b62c9b/attachment.html>

More information about the Openid-specs-risc mailing list