[Openid-specs-risc] Fwd: Multi subject discuss?

Phil Hunt phil.hunt at oracle.com
Wed Dec 13 04:53:30 UTC 2017


Why must secevents define subjects?  I am ok with it being defined in risc. 

Especially if you believe JWTs and id tokens won't use it. 

Phil

> On Dec 12, 2017, at 4:34 PM, Marius Scurtescu <mscurtescu at google.com> wrote:
> 
> Comments inline...
> 
> On Tue, Dec 12, 2017 at 9:18 AM, Phil Hunt via Openid-specs-risc <openid-specs-risc at lists.openid.net> wrote:
>>> It has been raised by marius on the secevents list that multi subjects in risc sets is a requirement which has not been discussed here. 
>>> 
>>> As we have not discussed this, I propose we do so. 
>>> 
>>> I have grave concerns about possible privacy implications particular if third party security providers are involved.
> 
> Agreed. The privacy implications are not major, but definitely a concern. Keep in mind that a transmitter will send only subjects that have already been disclosed to a receiver in a correlatable mode (Id Token or UserInfo API). The concern is that now this information is sent on a new channel and chances that correlated identifiers will be exposed increases.
> 
>>> I believe for any stream, transmitters and receivers must negotiate a single subject identifier to use. This can become a requirement for config eg as an extension to stream config  
> 
> Yes, I also think that stream configuration should allow receivers to specify the identifier they want to use and this would eliminate the need to send multiple ones.
> 
> But, in some cases receivers might not be able to specify only one identifier and the possibility to send multiple could still be needed.
> 
> For example, an RP might accept email or phone number as main account identifiers and when receiving an Id Token or SET the logic could be to try email first and if that fails then try phone number.
> 
> Thoughts?
> 
>>> Ps i also support single profile option in stream config per discussion with annabelle.
> You mean that Annabelle also supports a stream config to specify one subject identifier (confused by "profile", typo?).
>  
>>> I also support a standard subject claim but because of issues like multi subject, i do not support it being part of the main set draft.
> To me it is critical to be in the main set draft. That would allow us to also add the subject type to the stream config and have one standard way to refer to subject types.
> 
>  
>>> I think standard subject is also useful for access tokens/id tokens and may pave the way for single subject sets in risc.
> I am not sure about access tokens and id tokens. Id tokens already have well defined way to refer to subjects. Trying to come up with a generic solution for JWT would take a very long time and for secevent implementation it is critical to have a common subject ASAP.
> 
>  
>>> 
>>> 
>>> Best,
>>> 
>>> Phil
>> 
>> _______________________________________________
>> Openid-specs-risc mailing list
>> Openid-specs-risc at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-risc
>> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20171212/92b92d8c/attachment-0001.html>


More information about the Openid-specs-risc mailing list