[Openid-specs-ab] Spec Call Notes 9-May-19

Tom Jones thomasclinganjones at gmail.com
Thu May 30 17:26:54 UTC 2019 

i raised the problem about persistent identifiers in other contexts.
What i understand from others is the the sub is persistent for the life of
itself.
It is not persistent over the life of the real-world entity.
I, personally, find that unsatisfactory. I have a different meaning for the
word subject as tied to the real-world entity.
But that does not seem to be the openid foundation concept at all.
Peace ..tom


On Thu, May 30, 2019 at 2:38 AM Mischa Salle via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Hi Davide, others,
>
> does the spec actually state that for a given combination OP, RP, user,
> it always must create the same pairwise ID? The spec states
>     "the OpenID Provider MUST calculate a unique sub (subject) value for
>     each Sector Identifier"
> but it seems to me that doesn't imply that it MUST be the same each
> time? I.e. it doesn't seem to require a persistent pairwise sub for a
> given user? Or do I misread the meaning of unique?
>
>     Cheers,
>     Mischa
>
> On Thu, May 30, 2019 at 06:59:40AM +0200, Davide Vaghetti via
> Openid-specs-ab wrote:
> > Hi,
> >
> > on the point below:
> >
> > > Transient Subject Identifier Type
> > >
> > >               At IIW, Davide Vaghetti talked about the need for a
> > > transient subject_type value, similar to that in SAML
> > >
> > >               Mike and John encouraged him to write a specification
> for it
> >
> > ... this is what I've come up with:
> >
> >  https://gist.github.com/daserzw/813023b4e1c04d09beb732ef00d7c9e9
> >
> > Cheers,
> > Davide
> >
> > On 09/05/19 17:19, Mike Jones via Openid-specs-ab wrote:
> > > Spec Call Notes 9-May-19
> > >
> > >
> > >
> > > Mike Jones
> > >
> > > Roland Hedberg
> > >
> > > Brian Campbell
> > >
> > > Torsten Lodderstedt
> > >
> > > Bjorn Hjelm
> > >
> > > George Fletcher
> > >
> > > Tom Jones
> > >
> > >
> > >
> > > OpenID Certification
> > >
> > >               Roland created certification tests for Session,
> > > Front-Channel, and Back-Channel, which are now being tested
> > >
> > >               Filip Skokan provided a lot of early feedback on the OP
> tests
> > >
> > >               We now need instructions for testing so others can do so
> > >
> > >                            It seems that there will need to be some
> > > browser-specific instructions in some cases
> > >
> > >               There are RP logout tests also but they haven't been
> > > tested yet by others than Roland
> > >
> > >
> > >
> > > Authentication Failed Error Code Draft
> > >
> > >               This is issue #1029
> > >
> > >               The error code is now unmet_authentication_requirements
> > >
> > >               Torsten submitted and Mike will publish the working group
> > > draft
> > >
> > >
> > >
> > > OpenID Connect for Identity Proofing
> > >
> > >               Another new draft was published at
> > > https://openid.net/specs/openid-connect-4-identity-assurance.html
> > >
> > >               Torsten led a discussion at IIW
> > >
> > >               A lot of good feedback was received, including on
> > > requirements for other jurisdictions
> > >
> > >               It was pointed out that some proofs will require multiple
> > > documents
> > >
> > >                            Torsten is working on updated syntax for
> that
> > >
> > >                            See issue #1082: Support for multiple proof
> > > sources
> > >
> > >               Reviews are solicited
> > >
> > >               We agreed that Torsten should present this during EIC
> > >
> > >
> > >
> > > EIC Next Week
> > >
> > >               Roland, Torsten, Bjorn, George, and Mike will be at EIC
> > > next week
> > >
> > >
> > >
> > > Distinguishing first and third party cookies
> > >
> > >               George let us know that there's a spec that adds the
> > > same-site qualifier to cookies
> > >
> > >
> > > https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
> > >
> > >                            Values are none, strict, and lax
> > >
> > >                            Also see
> > > https://web.dev/samesite-cookies-explained/
> > >
> > >                            and
> > >
> https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html
> > >
> > >               Google is adding support for this to Chrome
> > >
> > >               George asked whether this might affect iframe and
> > > postMessage communication
> > >
> > >                            And whether this might affect Session
> Management
> > >
> > >
> > >
> > > Open Issues
> > >
> > >
> > > https://bitbucket.org/openid/connect/issues?status=new&status=open
> > >
> > >               #1083: policy_uri, tos_uri, logo_uri missing in IANA JWT
> > > claims registry
> > >
> > >                            Brian asked whether Nat really meant the JWT
> > > Claims registry or the AS Metadata registry
> > >
> > >               #1081: Need for a persistence user identifier - a PUID
> > >
> > >                            We discussed that change of keys is a change
> > > of identity for self-issued
> > >
> > >                            We discussed the ability to add a "did"
> claim
> > > to the ID Token when it is useful
> > >
> > >                            We discussed that the "sub" value must not
> > > change at key roll-over time
> > >
> > >
> > >
> > > Transient Subject Identifier Type
> > >
> > >               At IIW, Davide Vaghetti talked about the need for a
> > > transient subject_type value, similar to that in SAML
> > >
> > >               Mike and John encouraged him to write a specification
> for it
> > >
> > >
> > >
> > > Next Call
> > >
> > >               The May 13th call is cancelled due EIC
> > >
> > >               The next call is Thursday, May 23 at 7am Pacific Time
> > >
> > >
> > > _______________________________________________
> > > Openid-specs-ab mailing list
> > > Openid-specs-ab at lists.openid.net
> > > http://lists.openid.net/mailman/listinfo/openid-specs-ab
> > >
> >
> > --
> > Davide Vaghetti
> > Consortium GARR
> > Tel: +390502213158
> > Mobile: +393357779542
> > Skype: daserzw
> >
>
>
>
> > _______________________________________________
> > Openid-specs-ab mailing list
> > Openid-specs-ab at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
> --
> Nikhef                      Room  H155
> Science Park 105            Tel.  +31-20-592 5102
> 1098 XG Amsterdam           Fax   +31-20-592 5155
> The Netherlands             Email msalle at nikhef.nl
>   __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190530/c7725839/attachment.html>

More information about the Openid-specs-ab mailing list