[Openid-specs-ab] Definition of required and optional claims? Handling?

Fri Apr 13 01:22:21 UTC 2012

As a side note, I was wondering what would be the meaning of "optional" claims.

Whether it is under the EU Privacy Directive and new regulation draft,
the U.S. Consumer Privacy Bill of Rights, or for that matter, ISO/IEC
29100 Privacy Framework, it is clearly spelled out that the data
collected must be minimized. This means that there only can be
required claims. The only permissible "optional claims" probably would
be in the case of "either this claim or that claim is required." For
example, either phone or email is required as a mean of contact, etc.
Perhaps we should spell this out somewhere in the spec., something
like "privacy consideration" section in the Messages spec.

My bits of food for thought.

=nat

On Fri, Apr 13, 2012 at 9:25 AM, Henrik Biering <hb at peercraft.com> wrote:
> I strongly disagree in treating a missing required claim as an error!
>
> The ability to distinguish between required and optional claims is
> definitely useful for the IdP in order to clearly convey the clients policy
> for a specific action to the user.  However, if the user disagrees with this
> policy - or have chosen to use another provider for some claims - it is a
> pure policy dispute matter that can only be resolved through a direct
> dialogue between the client and the user. Policy dispute resolution should
> be outside the scope of the protocol.
>
> One of the worst general implementation errors in OpenID 1 and 2 has been
> throwing unintelligible technical error messages in the ordinary users face.
> So instead of further hinting developers to treat policy disputes as
> technical errors, it may be relevant to add informative notes as to when
> developers should consult  their business responsible colleagues about
> relevant options and user dialogue.
>
> =henrik
>
> Den 11-04-2012 22:14, Mike Jones skrev:
>
>> If a required claim isn't available, that's an error.  (It's not for
>> optional claims.)  But looking at the list of errors in 2.1.4
>> http://openid.net/specs/openid-connect-messages-1_0-09.html#anchor8 we
>> haven't defined an error for that case.  I suspect we should define one like
>> "required_claim_unavailable".
>>
>> What are other's thoughts?
>>
>>                                -- Mike
>>
>> -----Original Message-----
>> From: openid-specs-ab-bounces at lists.openid.net
>> [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Vladimir
>> Dzhuvinov / NimbusDS
>> Sent: Wednesday, April 11, 2012 2:36 AM
>> To: openid-specs-ab at lists.openid.net
>> Subject: [Openid-specs-ab] Definition of required and optional claims?
>> Handling?
>>
>> Several places in spec (mostly on the OpenID request object) mention
>> "required claim" and "optional claim". I was kind of wondering what exactly
>> these are until I read section 5.1.3 on handling "acr" claim requests.
>>
>> http://openid.net/specs/openid-connect-messages-1_0-09.html#req.obj.veri
>>
>> Would it make sense to define "required claim" and "optional claim" in a
>> separate section? Also their handling, if it can be generalised?
>>
>> Right now I'm not sure about the difference between required and optional
>> UserInfo claim requests. How is a required UserInfo claim request to be
>> handled if the data isn't available on the server?
>>
>> Cheers,
>>
>> Vladimir
>> --
>> Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en