<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Each alias might have a different issuer/scope.<div class=""><br class=""></div><div class="">Email is also tricky, as foreign emails are often used as the username.</div><div class=""><br class=""></div><div class="">That email address used as a name may or may not be validated. </div><div class=""><br class=""></div><div class="">I still have a test Facebook account with a email as the login name that has never been validated after nearly two years.</div><div class=""><br class=""></div><div class="">So is talking about “self-issued@hotmail,.com” scope Facebook the same as <a href="http://sef-issued.com" class="">sef-issued.com</a> scope google vs scope Microsoft the same or different?</div><div class=""><br class=""></div><div class="">Are some usernames with issuers and only the MS scoped one a real email?</div><div class=""><br class=""></div><div class="">In general you have a identifier string of some sort scoped to a responsible authority.</div><div class="">I don’t really care if you want to have </div><div class="">{“val”: “self-issued@hotmail,.com”, “scope”: “Facebook” , “type”: “email”}</div><div class=""><br class=""></div><div class="">Or create specific claims that combine type and val.</div><div class=""><br class=""></div><div class="">I suspect that having it be a object will allow for cleanly adding other meta-data later.</div><div class=""><br class=""></div><div class="">I do think that it is a new claim separate from the existing sub, and needs the context of who is the responsible authority for the identifier or it will get very messy.</div><div class=""><br class=""></div><div class="">John B.</div><div class=""><br class=""></div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Aug 3, 2017, at 4:36 PM, Marius Scurtescu <<a href="mailto:mscurtescu@google.com" class="">mscurtescu@google.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class="gmail_extra"><div class="gmail_quote">On Thu, Aug 3, 2017 at 12:02 PM, John Bradley <span dir="ltr" class=""><<a href="mailto:ve7jtb@ve7jtb.com" target="_blank" class="cremed">ve7jtb@ve7jtb.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word" class="">Alias or aka <div class=""><br class=""></div><div class="">I am issuer foo and the subject is bar in my context. I also know them as “<a href="mailto:self-issued@hotmail.com" target="_blank" class="cremed">self-issued@hotmail.com</a><span class="">” in the context of Facebook and <span id="gc-number-117" class="gc-cs-link" title="Call with Google Voice">+15555551235</span> in the context of phone number.</span></div><div class=""><br class=""></div><div class="">That leaves the current definitions of sub and its unchanged.</div></div></blockquote><div class=""><br class=""></div><div class="">All the different ways the identity can be referred to must be defined by the profile. Right?</div><div class=""><br class=""></div><div class="">For the RISC profile I had in mind:</div><div class="">- iss+sub</div><div class="">- email</div><div class="">- phone_number</div><div class=""><br class=""></div><div class="">Obviously this is inspired by OpenID Connect, the same claims can be present in an Id Token.</div><div class=""><br class=""></div><div class="">If the above makes sense, then not sure if an array is needed.</div><div class=""><br class=""></div><div class=""><br class=""></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word" class=""><div class=""><br class=""></div><div class="">John B.</div><div class=""><div class="h5"><div class=""><br class=""><div class=""><blockquote type="cite" class=""><div class="">On Aug 3, 2017, at 2:57 PM, Phil Hunt (IDM) <<a href="mailto:phil.hunt@oracle.com" target="_blank" class="cremed">phil.hunt@oracle.com</a>> wrote:</div><br class="m_922368068620098186Apple-interchange-newline"><div class=""><div dir="auto" class=""><div class="">Agreed. <br class=""><br class="">Phil</div><div class=""><br class="">On Aug 3, 2017, at 11:56 AM, John Bradley <<a href="mailto:ve7jtb@ve7jtb.com" target="_blank" class="cremed">ve7jtb@ve7jtb.com</a>> wrote:<br class=""><br class=""></div><blockquote type="cite" class=""><div class="">Identity or whatever it is called may actually want to be an array, as there might be multiple synonyms.<div class=""><br class=""></div><div class="">That is why I was thinking of it more as an alias of sub + iss.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><div class=""><blockquote type="cite" class=""><div class="">On Aug 3, 2017, at 1:49 PM, Marius Scurtescu <<a href="mailto:mscurtescu@google.com" target="_blank" class="cremed">mscurtescu@google.com</a>> wrote:</div><br class="m_922368068620098186Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class="gmail_extra"><div class="gmail_quote">On Thu, Aug 3, 2017 at 10:39 AM, Phil Hunt <span dir="ltr" class=""><<a href="mailto:phil.hunt@oracle.com" class="cremed m_922368068620098186gmail-cremed m_922368068620098186cremed" target="_blank">phil.hunt@oracle.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word" class="">yes. Instead of using “sub” you might define an attribute “identity” and it could be used as follows:<div class=""><br class=""></div><div class="">“identity”:{</div><div class=""> “typ”:”oidc”,</div><div class=""> “sub”:”8100552e17554422b6207b7<wbr class="">bd7a9bc76”,</div><div class=""> “iss”:”<a href="http://myidp.example.com/" class="cremed m_922368068620098186gmail-cremed m_922368068620098186cremed" target="_blank">myidp.example.com</a>"</div><div class="">}</div><div class=""><br class=""></div><div class="">Or:</div><div class=""><br class=""></div><div class="">“identity”:{</div><div class=""> “typ”:”scim”,</div><div class=""> “$ref”:”<a href="https://scim.example.com/Users/8100552e17554422b6207b7bd7a9bc76" class="cremed m_922368068620098186gmail-cremed m_922368068620098186cremed" target="_blank">https://scim.example.c<wbr class="">om/Users/8100552e17554422b6207<wbr class="">b7bd7a9bc76</a>”</div><div class="">}</div><div class=""><br class=""></div><div class="">Or</div><div class=""><br class=""></div><div class="">(not sure these are the right claims, but you might include some claims from MODRNA like carrier identifiers if they are available)</div><div class="">“identity”:{</div><div class=""> “typ”:”phone”,</div><div class=""> “telephoneNumber”:”+1604123456<wbr class="">7”</div><div class=""> “carrier”: <somevalue> </div><div class="">}</div><div class=""><br class=""></div><div class="">“identity”:{</div><div class=""> “typ”:”emails”,</div><div class=""> “mail”:”<a href="mailto:john.doe@example.com" class="cremed m_922368068620098186gmail-cremed m_922368068620098186cremed" target="_blank">john.doe@example.com</a>”</div><div class="">}</div><div class=""><br class=""></div><div class="">Note “identity” could be used at the top level or embedded in events payload. Top level if there is need to have multiple event types are expressed at once. Or, if part of the core spec to provide a consistent pattern for identifiers and to establish a registry of identifier types. Regardless at the top level, then “identity” would have to be registered as a JWT claim.</div></div></blockquote><div class=""><br class=""></div><div class="">This is a separate discussion we should have, I was proposing something different here, but I was trying to focus on the issuer conflict first.</div><div class=""><br class=""></div><div class="">That being said, I don't see why a typ claim is needed here. We can use the exact same claims as in an Id Token. SCIM needs a different profile than RISC.</div><div class=""><br class=""></div><div class="">Your examples from above using Id Token claims (minus the SCIM example):</div><div class=""><br class=""></div><div class=""><font face="monospace, monospace" class="">“identity”:{</font></div><div class=""><font face="monospace, monospace" class=""> “sub”:”8100552e17554422b6207b7<wbr class="">bd7a9bc76”,<br class=""></font></div><div class=""><font face="monospace, monospace" class=""> “iss”:”<a href="http://myidp.example.com/" target="_blank" class="cremed">myidp.example.com</a>"</font></div><div class=""><font face="monospace, monospace" class="">}</font></div><div class=""><font face="monospace, monospace" class=""><br class=""></font></div><div class=""><div class=""><font face="monospace, monospace" class="">“identity”:{</font></div><div class=""><span style="font-family:monospace,monospace" class=""> “phone_number”:”+</span><span style="font-family:monospace,monospace" class="">16041234567”</span><br class=""></div><div class=""><span style="font-family:monospace,monospace" class="">}</span><br class=""></div><div class=""><font face="monospace, monospace" class=""><br class=""></font></div><div class=""><font face="monospace, monospace" class="">“identity”:{</font></div><div class=""><span style="font-family:monospace,monospace" class=""> “email”:”</span><span style="font-family:monospace,monospace" class=""><a href="mailto:john.doe@example.com" target="_blank" class="cremed">john.doe@example.com</a></span><span style="font-family:monospace,monospace" class="">”</span><br class=""></div><div class=""><font face="monospace, monospace" class="">}</font></div></div><div class=""><br class=""></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word" class=""><div class=""><span class="m_922368068620098186gmail-"><br class=""><div class="">
<div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word" class=""><div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word" class=""><div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word" class=""><div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word" class=""><div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word" class=""><div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word" class=""><div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word" class=""><div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word" class=""><div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word" class=""><div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word" class=""><div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word" class=""><div class=""><span class="m_922368068620098186gmail-m_-2518339591068322597Apple-style-span" style="border-collapse:separate;line-height:normal"><div style="word-wrap:break-word" class=""><div class=""><div class=""><div class="">Phil</div><div class=""><br class=""></div><div class="">Oracle Corporation, Identity Cloud Services Architect & Standards</div><div class="">@independentid</div><div class=""><a href="http://www.independentid.com/" class="cremed m_922368068620098186gmail-cremed m_922368068620098186cremed" target="_blank">www.independentid.com</a></div></div></div></div></span><a href="mailto:phil.hunt@oracle.com" class="cremed m_922368068620098186gmail-cremed m_922368068620098186cremed" target="_blank">phil.hunt@oracle.com</a></div></div></div></div></div></div></div></div></div></div></div></div>
</div>
<br class=""></span><div class=""><div class="m_922368068620098186gmail-h5"><div class=""><blockquote type="cite" class=""><div class="">On Aug 3, 2017, at 10:28 AM, Marius Scurtescu <<a href="mailto:mscurtescu@google.com" class="cremed m_922368068620098186gmail-cremed m_922368068620098186cremed" target="_blank">mscurtescu@google.com</a>> wrote:</div><br class="m_922368068620098186gmail-m_-2518339591068322597Apple-interchange-newline"><div class=""><div dir="ltr" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" class=""><div class="gmail_extra"><div class="gmail_quote">On Thu, Aug 3, 2017 at 9:42 AM, John Bradley<span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span><span dir="ltr" class=""><<a href="mailto:ve7jtb@ve7jtb.com" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">ve7jtb@ve7jtb.com</a>></span><span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>wr<wbr class="">ote:<br class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word" class="">I guess in principal sub could be a dictionary with a val and other meta data like a optional issuer.<div class=""><br class=""></div><div class="">We do that with sub in <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_specs_openid-2Dconnect-2Dcore-2D1-5F0.html-23IndividualClaimsRequests&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=0XvWuopUa1rUzdTHlWsUVZI7PePtDaGu3VrMUlwE2yU&s=VzfByRviJEJHNZfefEzIWK8KsuPhKsf_RXi6eOTxbeI&e=" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">Connect claims requests</a>.</div><div class=""><br class=""></div><div class="">However in responses sub is defined in </div><div class=""><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc7519-23section-2D4.1.2&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=0XvWuopUa1rUzdTHlWsUVZI7PePtDaGu3VrMUlwE2yU&s=5GZBJpUnQsgSTinzQRg5GLOPDs6YuqtEr_PEMy9JsMQ&e=" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">https://tools.ietf.org/html/rf<wbr class="">c7519#section-4.1.2</a> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>as a string.</div><div class=""><br class=""></div><div class="">One option might be to have a new claim. sub-d that is a dictionary that you could use when you need a more complicated sub with a SubjectNameIdFormat and scope. How could that go wrong:)</div></div></blockquote><div class=""><br class=""></div><div class="">That is option 3, right?</div><div class=""> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word" class=""><div class=""><br class=""></div><div class="">John B.</div><div class=""><div class="m_922368068620098186gmail-m_-2518339591068322597h5"><div class=""><br class=""></div><div class=""> <br class=""><div class=""><blockquote type="cite" class=""><div class="">On Aug 3, 2017, at 12:19 PM, Phil Hunt (IDM) <<a href="mailto:phil.hunt@oracle.com" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">phil.hunt@oracle.com</a>> wrote:</div><br class="m_922368068620098186gmail-m_-2518339591068322597m_1134046780769059888Apple-interchange-newline"><div class=""><div dir="auto" class=""><div class="">Lets not forget that we also have cases where subject is identified by email or telephone or other identifier (implicit fed cases). </div><div class=""><br class=""></div><div class="">Risc needs to have a subject type attribute to inform parsers how to identify the subject. The next question whether sub gets re-used as a general purpose attribute or whether specific attributes are used for each type (email, telephone). <br class=""><br class="">In solving this broader requirement the sub/iss problem may also be resolved. </div><div class=""><br class="">Phil</div><div class=""><br class="">On Aug 3, 2017, at 1:52 AM, Nat Sakimura <<a href="mailto:sakimura@gmail.com" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">sakimura@gmail.com</a>> wrote:<br class=""><br class=""></div><blockquote type="cite" class=""><div class=""><p dir="ltr" class="">My preference: If all SET only supports a single iss/sub pair, then 1. If a SET can have events for multiple iss/sub pair, then 2.<span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span></p><br class=""><div class="gmail_quote"><div dir="ltr" class="">2017年8月3日(木) 7:49 Marius Scurtescu <<a href="mailto:mscurtescu@google.com" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">mscurtescu@google.com</a>>:<br class=""></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr" class="">Each SET profile must define or clarify several aspects of the specs. For RISC most of these must only be only specified (like key resolution), but there is at least one issue for which we don't have an agreed on solution.<div class=""><br class=""></div><div class="">In some use cases the issuer of the SET is different from the issuer of the subject identifier, and at least in those cases there cannot be only one top level "iss" claim.</div><div class=""><br class=""></div><div class="">Here are the proposals I am aware of to solve this issue:</div><div class=""><br class=""></div><div class="">1. Move iss+sub to the event level. The drawback of this approach is redundancy when multiple events are present in the SET.</div><div class=""><br class=""></div><div class=""><div class=""><font face="monospace, monospace" class="">{</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"jti": "3d0c3cf797584bd193bd0fb1bd4e7<wbr class="">d30",</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"iat": 1458496025,</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"iss": "<a href="https://tr.example.com/" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">https://tr.example.com</a>",</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"aud": "</font><span style="font-family:monospace,monospace" class=""><a href="https://rv.example.com/" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">https://rv.example.com/</a>",</span><br class=""></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"events": {</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"urn:ietf:params:risc:event:<wbr class="">sessions-revoked":</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>{</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"iss": "<a href="https://example.com/" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">https://example.com</a>",</font></div><div class=""><span style="font-family:monospace,monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"sub": "47635747",</span><br class=""></div><div class=""><span style="font-family:monospace,monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>},</span><br class=""></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"urn:ietf:params:risc:event:<wbr class="">tokens-revoked":</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>{</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"iss": "<a href="https://example.com/" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">https://example.com</a>",</font></div><div class=""><span style="font-family:monospace,monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"sub": "47635747",</span><br class=""></div><div class=""><span style="font-family:monospace,monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>}</span><br class=""></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>}</font></div><div class=""><span style="font-family:monospace,monospace" class="">}</span><br class=""></div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">1.1 Move only the subject "iss" to the event level and leave "sub" at the top level (next to the SET "iss"). I find this solution very confusing.</div><div class=""><br class=""></div><div class=""><div class=""><font face="monospace, monospace" class="">{</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"jti": "3d0c3cf797584bd193bd0fb1bd4e7<wbr class="">d30",</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"iat": 1458496025,</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"iss": "<a href="https://tr.example.com/" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">https://tr.example.com</a>",</font></div><div class=""><span style="font-family:monospace,monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"sub": "47635747",</span><br class=""></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"aud": "</font><span style="font-family:monospace,monospace" class=""><a href="https://rv.example.com/" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">https://rv.example.com/</a>",</span></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"events": {</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"urn:ietf:params:risc:event:<wbr class="">sessions-revoked":</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>{</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"iss": "<a href="https://example.com/" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">https://example.com</a>",</font></div><div class=""><span style="font-family:monospace,monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>},</span><br class=""></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"urn:ietf:params:risc:event:<wbr class="">tokens-revoked":</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>{</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"iss": "<a href="https://example.com/" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">https://example.com</a>",</font></div><div class=""><span style="font-family:monospace,monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>}</span><br class=""></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>}</font></div><div class=""><span style="font-family:monospace,monospace" class="">}</span></div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">2. Move iss+sub immediately under the "events" claim. No redundancy in this case.</div><div class=""><br class=""></div><div class=""><div class=""><font face="monospace, monospace" class="">{</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"jti": "3d0c3cf797584bd193bd0fb1bd4e7<wbr class="">d30",</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"iat": 1458496025,</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"iss": "<a href="https://tr.example.com/" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">https://tr.example.com</a>",</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"aud": "</font><span style="font-family:monospace,monospace" class=""><a href="https://rv.example.com/" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">https://rv.example.com/</a>",</span><br class=""></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"events": {</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"iss": "<a href="https://example.com/" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">https://example.com</a>",</font></div><div class=""><span style="font-family:monospace,monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"sub": "47635747",</span><br class=""></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"urn:ietf:params:risc:event:<wbr class="">sessions-revoked": </font><font face="monospace, monospace" class="">{</font><span style="font-family:monospace,monospace" class="">},</span></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"urn:ietf:params:risc:event:<wbr class="">tokens-revoked": </font><font face="monospace, monospace" class="">{</font><span style="font-family:monospace,monospace" class="">}</span></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>}</font></div><div class=""><span style="font-family:monospace,monospace" class="">}</span></div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">3. Move iss+sub to a new nested claim.</div><div class=""><br class=""></div><div class=""><div class=""><font face="monospace, monospace" class="">{</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"jti": "3d0c3cf797584bd193bd0fb1bd4e7<wbr class="">d30",</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"iat": 1458496025,</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"iss": "<a href="https://tr.example.com/" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">https://tr.example.com</a>",</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"aud": "</font><span style="font-family:monospace,monospace" class=""><a href="https://rv.example.com/" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">https://rv.example.com/</a>",</span><br class=""></div><div class=""><span style="font-family:monospace,monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"target": {</span></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"iss": "<a href="https://example.com/" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">https://example.com</a>",</font></div><div class=""><span style="font-family:monospace,monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"sub": "47635747",</span><br class=""></div><div class=""><span style="font-family:monospace,monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>},</span></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"events": {</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"urn:ietf:params:risc:event:<wbr class="">sessions-revoked": </font><font face="monospace, monospace" class="">{</font><span style="font-family:monospace,monospace" class="">},</span><br class=""></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"urn:ietf:params:risc:event:<wbr class="">tokens-revoked": </font><font face="monospace, monospace" class="">{</font><span style="font-family:monospace,monospace" class="">}</span></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>}</font></div><div class=""><span style="font-family:monospace,monospace" class="">}</span></div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">4. Define a new top level issuer claim either for the SET or for the subject.</div><div class=""><br class=""></div><div class=""><div class=""><font face="monospace, monospace" class="">{</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"jti": "3d0c3cf797584bd193bd0fb1bd4e7<wbr class="">d30",</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"iat": 1458496025,</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"iss": "<a href="https://tr.example.com/" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">https://tr.example.com</a>",</font></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"iss-sub": "<a href="https://example.com/" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">https://example.com</a>",</font></div><div class=""><span style="font-family:monospace,monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"sub": "47635747",</span><br class=""></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"aud": "</font><span style="font-family:monospace,monospace" class=""><a href="https://rv.example.com/" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">https://rv.example.com/</a>",</span><br class=""></div><div class=""><span style="font-family:monospace,monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"events": {</span><br class=""></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"urn:ietf:params:risc:event:<wbr class="">sessions-revoked": </font><font face="monospace, monospace" class="">{</font><span style="font-family:monospace,monospace" class="">},</span><br class=""></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>"urn:ietf:params:risc:event:<wbr class="">tokens-revoked": </font><font face="monospace, monospace" class="">{</font><span style="font-family:monospace,monospace" class="">}</span></div><div class=""><font face="monospace, monospace" class=""> <span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span>}</font></div><div class=""><span style="font-family:monospace,monospace" class="">}</span></div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">An open question is if this new iss+sub solution should be always required or if a top level iss+sub should also be allowed (when there is no conflict). I vote for having only one way for simplicity.</div><div class=""><br class=""></div><div class="">Once we decide on a solution we can start working on the RISC profile draft.</div><div class=""><br class=""></div><div class="">Thoughts?</div><div class=""><br class=""></div><div class=""><div class="">Marius</div></div></div>______________________________<wbr class="">_________________<br class="">Openid-specs-risc mailing list<br class=""><a href="mailto:Openid-specs-risc@lists.openid.net" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">Openid-specs-risc@lists.openid<wbr class="">.net</a><br class=""><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Drisc&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=oELWrk4I8hITS0xtNBEzkxMNmGjdHfFGkwNTJluxMQM&s=WH0oHORcbz6GzolvV9301ap4nCL-qYRmD7wWIWPJnL8&e=" rel="noreferrer" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">http://lists.openid.net/mailma<wbr class="">n/listinfo/openid-specs-risc</a><br class=""></blockquote></div><div dir="ltr" class="">--<span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span><br class=""></div><div class="m_922368068620098186gmail-m_-2518339591068322597m_1134046780769059888gmail_signature"><p dir="ltr" class="">Nat Sakimura</p><p dir="ltr" class="">Chairman of the Board, OpenID Foundation</p></div></div></blockquote><blockquote type="cite" class=""><div class=""><span class="">______________________________<wbr class="">_________________</span><br class=""><span class="">Openid-specs-risc mailing list</span><br class=""><span class=""><a href="mailto:Openid-specs-risc@lists.openid.net" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">Openid-specs-risc@lists.openid<wbr class="">.net</a></span><br class=""><span class=""><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Drisc&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=oELWrk4I8hITS0xtNBEzkxMNmGjdHfFGkwNTJluxMQM&s=WH0oHORcbz6GzolvV9301ap4nCL-qYRmD7wWIWPJnL8&e=" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">https://urldefense.proofpoint.<wbr class="">com/v2/url?u=http-3A__lists.op<wbr class="">enid.net_mailman_listinfo_open<wbr class="">id-2Dspecs-2Drisc&d=DwICAg&c=R<wbr class="">oP1YumCXCgaWHvlZYR8PQcxBKCX5YT<wbr class="">pkKY057SbK10&r=JBm5biRrKugCH0F<wbr class="">kITSeGJxPEivzjWwlNKe4C_lLIGk&m<wbr class="">=oELWrk4I8hITS0xtNBEzkxMNmGjdH<wbr class="">fFGkwNTJluxMQM&s=WH0oHORcbz6Gz<wbr class="">olvV9301ap4nCL-qYRmD7wWIWPJnL8<wbr class="">&e=</a><span class="m_922368068620098186gmail-m_-2518339591068322597Apple-converted-space"> </span></span><br class=""></div></blockquote></div>______________________________<wbr class="">_________________<br class="">Openid-specs-risc mailing list<br class=""><a href="mailto:Openid-specs-risc@lists.openid.net" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">Openid-specs-risc@lists.openid<wbr class="">.net</a><br class=""><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Drisc&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=0XvWuopUa1rUzdTHlWsUVZI7PePtDaGu3VrMUlwE2yU&s=EIvVFfL8djzqG2zMxSY4EPjMuBglQoE0xKzdgiOiOK8&e=" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">http://lists.openid.net/mailma<wbr class="">n/listinfo/openid-specs-risc</a><br class=""></div></blockquote></div><br class=""></div></div></div></div><br class="">______________________________<wbr class="">_________________<br class="">Openid-specs-risc mailing list<br class=""><a href="mailto:Openid-specs-risc@lists.openid.net" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">Openid-specs-risc@lists.openid<wbr class="">.net</a><br class=""><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Drisc&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=0XvWuopUa1rUzdTHlWsUVZI7PePtDaGu3VrMUlwE2yU&s=EIvVFfL8djzqG2zMxSY4EPjMuBglQoE0xKzdgiOiOK8&e=" rel="noreferrer" class="m_922368068620098186gmail-cremed m_922368068620098186gmail-m_-2518339591068322597cremed m_922368068620098186cremed cremed" target="_blank">http://lists.openid.net/mailma<wbr class="">n/listinfo/openid-specs-risc</a></blockquote></div></div></div></div></blockquote></div><br class=""></div></div></div></div></blockquote></div><br class=""></div></div>
</div></blockquote></div><br class=""></div></div></blockquote></div></div></blockquote></div><br class=""></div></div></div></div></blockquote></div><br class=""></div></div>
</div></blockquote></div><br class=""></div></body></html>