[Openid-specs-ab] Spec Call Notes 9-May-19

Tom Jones thomasclinganjones at gmail.com
Thu May 30 17:31:38 UTC 2019 

it is worth noting here that the concept of sub is not commonly understood
by all parties.
it seems to mean exactly, and only, what the local system thinks it means.
I have stated else where that we need a different id (like the did) that
can be tied to long-lived claims.
These long-lived claims are NOT the claims of the op, which is what openid
connect is all about. That is a mistake that i had made earlier.
Peace ..tom


On Thu, May 30, 2019 at 7:43 AM Torsten Lodderstedt via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Hi Davide,
>
> thanks for the write up. I buy into it since I faced such use cases in the
> past.
>
> I’m not quite sure whether it is sufficient to just add another subject
> type value to the subject_types_supported element in the
> openid-configuration since this new subject type significantly changes the
> characteristics of the sub Claim.
>
> Today, a RP can ignore the subject type simply because all sub Claim
> values are supposed to be stable and immutable over multiple OpenID Connect
> transactions. This means the RP can rely on the sub Claim for recognising a
> returning user no matter whether it is a public or pairwise id. An
> ephemeral sub value (intentionally) works differently. I feel the OP should
> tell the RP that the sub is ephemeral so the RP knows, it cannot establish
> an id federation. An additional claim “sub_type” in ID token or user info
> response would suffice.
>
> best regards,
> Torsten.
>
>
> > On 30. May 2019, at 06:59, Davide Vaghetti via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
> >
> > Hi,
> >
> > on the point below:
> >
> >> Transient Subject Identifier Type
> >>
> >>              At IIW, Davide Vaghetti talked about the need for a
> >> transient subject_type value, similar to that in SAML
> >>
> >>              Mike and John encouraged him to write a specification for
> it
> >
> > ... this is what I've come up with:
> >
> > https://gist.github.com/daserzw/813023b4e1c04d09beb732ef00d7c9e9
> >
> > Cheers,
> > Davide
> >
> > On 09/05/19 17:19, Mike Jones via Openid-specs-ab wrote:
> >> Spec Call Notes 9-May-19
> >>
> >>
> >>
> >> Mike Jones
> >>
> >> Roland Hedberg
> >>
> >> Brian Campbell
> >>
> >> Torsten Lodderstedt
> >>
> >> Bjorn Hjelm
> >>
> >> George Fletcher
> >>
> >> Tom Jones
> >>
> >>
> >>
> >> OpenID Certification
> >>
> >>               Roland created certification tests for Session,
> >> Front-Channel, and Back-Channel, which are now being tested
> >>
> >>               Filip Skokan provided a lot of early feedback on the OP
> tests
> >>
> >>               We now need instructions for testing so others can do so
> >>
> >>                            It seems that there will need to be some
> >> browser-specific instructions in some cases
> >>
> >>               There are RP logout tests also but they haven't been
> >> tested yet by others than Roland
> >>
> >>
> >>
> >> Authentication Failed Error Code Draft
> >>
> >>               This is issue #1029
> >>
> >>               The error code is now unmet_authentication_requirements
> >>
> >>               Torsten submitted and Mike will publish the working group
> >> draft
> >>
> >>
> >>
> >> OpenID Connect for Identity Proofing
> >>
> >>               Another new draft was published at
> >> https://openid.net/specs/openid-connect-4-identity-assurance.html
> >>
> >>               Torsten led a discussion at IIW
> >>
> >>               A lot of good feedback was received, including on
> >> requirements for other jurisdictions
> >>
> >>               It was pointed out that some proofs will require multiple
> >> documents
> >>
> >>                            Torsten is working on updated syntax for that
> >>
> >>                            See issue #1082: Support for multiple proof
> >> sources
> >>
> >>               Reviews are solicited
> >>
> >>               We agreed that Torsten should present this during EIC
> >>
> >>
> >>
> >> EIC Next Week
> >>
> >>               Roland, Torsten, Bjorn, George, and Mike will be at EIC
> >> next week
> >>
> >>
> >>
> >> Distinguishing first and third party cookies
> >>
> >>               George let us know that there's a spec that adds the
> >> same-site qualifier to cookies
> >>
> >>
> >> https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
> >>
> >>                            Values are none, strict, and lax
> >>
> >>                            Also see
> >> https://web.dev/samesite-cookies-explained/
> >>
> >>                            and
> >>
> https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html
> >>
> >>               Google is adding support for this to Chrome
> >>
> >>               George asked whether this might affect iframe and
> >> postMessage communication
> >>
> >>                            And whether this might affect Session
> Management
> >>
> >>
> >>
> >> Open Issues
> >>
> >>
> >> https://bitbucket.org/openid/connect/issues?status=new&status=open
> >>
> >>               #1083: policy_uri, tos_uri, logo_uri missing in IANA JWT
> >> claims registry
> >>
> >>                            Brian asked whether Nat really meant the JWT
> >> Claims registry or the AS Metadata registry
> >>
> >>               #1081: Need for a persistence user identifier - a PUID
> >>
> >>                            We discussed that change of keys is a change
> >> of identity for self-issued
> >>
> >>                            We discussed the ability to add a "did" claim
> >> to the ID Token when it is useful
> >>
> >>                            We discussed that the "sub" value must not
> >> change at key roll-over time
> >>
> >>
> >>
> >> Transient Subject Identifier Type
> >>
> >>               At IIW, Davide Vaghetti talked about the need for a
> >> transient subject_type value, similar to that in SAML
> >>
> >>               Mike and John encouraged him to write a specification for
> it
> >>
> >>
> >>
> >> Next Call
> >>
> >>               The May 13th call is cancelled due EIC
> >>
> >>               The next call is Thursday, May 23 at 7am Pacific Time
> >>
> >>
> >> _______________________________________________
> >> Openid-specs-ab mailing list
> >> Openid-specs-ab at lists.openid.net
> >> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> >>
> >
> > --
> > Davide Vaghetti
> > Consortium GARR
> > Tel: +390502213158
> > Mobile: +393357779542
> > Skype: daserzw
> >
> > _______________________________________________
> > Openid-specs-ab mailing list
> > Openid-specs-ab at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190530/f265eac7/attachment.html>

More information about the Openid-specs-ab mailing list