[Openid-specs-ab] Spec Call Notes 9-May-19
Davide Vaghetti
davide.vaghetti at garr.it
Thu May 30 20:35:26 UTC 2019
Hi Tom, Mischa,
maybe my interpretation of the pairwise subject type --- as a persistent
identifier --- is biased by my SAML background.
@Mischa: You're right that the spec doesn't **explicitly** say anything
about persistence and duration of the both the public and the pairwise
ID in section 8, but in section 5.7 it says that the `sub` and the `iss`
are your best choice for a "stable identifier".
As I understand it RPs are expecting to receive the same `sub` for a
given combination of user and OP.
Cheers,
Davide
On 30/05/19 19:26, Tom Jones via Openid-specs-ab wrote:
> i raised the problem about persistent identifiers in other contexts.
> What i understand from others is the the sub is persistent for the life
> of itself.
> It is not persistent over the life of the real-world entity.
> I, personally, find that unsatisfactory. I have a different meaning for
> the word subject as tied to the real-world entity.
> But that does not seem to be the openid foundation concept at all.
> Peace ..tom
>
>
> On Thu, May 30, 2019 at 2:38 AM Mischa Salle via Openid-specs-ab
> <openid-specs-ab at lists.openid.net
> <mailto:openid-specs-ab at lists.openid.net>> wrote:
>
> Hi Davide, others,
>
> does the spec actually state that for a given combination OP, RP, user,
> it always must create the same pairwise ID? The spec states
> "the OpenID Provider MUST calculate a unique sub (subject) value for
> each Sector Identifier"
> but it seems to me that doesn't imply that it MUST be the same each
> time? I.e. it doesn't seem to require a persistent pairwise sub for a
> given user? Or do I misread the meaning of unique?
>
> Cheers,
> Mischa
>
> On Thu, May 30, 2019 at 06:59:40AM +0200, Davide Vaghetti via
> Openid-specs-ab wrote:
> > Hi,
> >
> > on the point below:
> >
> > > Transient Subject Identifier Type
> > >
> > > At IIW, Davide Vaghetti talked about the need for a
> > > transient subject_type value, similar to that in SAML
> > >
> > > Mike and John encouraged him to write a
> specification for it
> >
> > ... this is what I've come up with:
> >
> > https://gist.github.com/daserzw/813023b4e1c04d09beb732ef00d7c9e9
> >
> > Cheers,
> > Davide
> >
> > On 09/05/19 17:19, Mike Jones via Openid-specs-ab wrote:
> > > Spec Call Notes 9-May-19
> > >
> > >
> > >
> > > Mike Jones
> > >
> > > Roland Hedberg
> > >
> > > Brian Campbell
> > >
> > > Torsten Lodderstedt
> > >
> > > Bjorn Hjelm
> > >
> > > George Fletcher
> > >
> > > Tom Jones
> > >
> > >
> > >
> > > OpenID Certification
> > >
> > > Roland created certification tests for Session,
> > > Front-Channel, and Back-Channel, which are now being tested
> > >
> > > Filip Skokan provided a lot of early feedback on
> the OP tests
> > >
> > > We now need instructions for testing so others can
> do so
> > >
> > > It seems that there will need to be some
> > > browser-specific instructions in some cases
> > >
> > > There are RP logout tests also but they haven't been
> > > tested yet by others than Roland
> > >
> > >
> > >
> > > Authentication Failed Error Code Draft
> > >
> > > This is issue #1029
> > >
> > > The error code is now
> unmet_authentication_requirements
> > >
> > > Torsten submitted and Mike will publish the
> working group
> > > draft
> > >
> > >
> > >
> > > OpenID Connect for Identity Proofing
> > >
> > > Another new draft was published at
> > > https://openid.net/specs/openid-connect-4-identity-assurance.html
> > >
> > > Torsten led a discussion at IIW
> > >
> > > A lot of good feedback was received, including on
> > > requirements for other jurisdictions
> > >
> > > It was pointed out that some proofs will require
> multiple
> > > documents
> > >
> > > Torsten is working on updated syntax
> for that
> > >
> > > See issue #1082: Support for multiple
> proof
> > > sources
> > >
> > > Reviews are solicited
> > >
> > > We agreed that Torsten should present this during EIC
> > >
> > >
> > >
> > > EIC Next Week
> > >
> > > Roland, Torsten, Bjorn, George, and Mike will be
> at EIC
> > > next week
> > >
> > >
> > >
> > > Distinguishing first and third party cookies
> > >
> > > George let us know that there's a spec that adds the
> > > same-site qualifier to cookies
> > >
> > >
> > > https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
> > >
> > > Values are none, strict, and lax
> > >
> > > Also see
> > > https://web.dev/samesite-cookies-explained/
> > >
> > > and
> > >
> https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html
> > >
> > > Google is adding support for this to Chrome
> > >
> > > George asked whether this might affect iframe and
> > > postMessage communication
> > >
> > > And whether this might affect Session
> Management
> > >
> > >
> > >
> > > Open Issues
> > >
> > >
> > > https://bitbucket.org/openid/connect/issues?status=new&status=open
> > >
> > > #1083: policy_uri, tos_uri, logo_uri missing in
> IANA JWT
> > > claims registry
> > >
> > > Brian asked whether Nat really meant
> the JWT
> > > Claims registry or the AS Metadata registry
> > >
> > > #1081: Need for a persistence user identifier - a PUID
> > >
> > > We discussed that change of keys is a
> change
> > > of identity for self-issued
> > >
> > > We discussed the ability to add a
> "did" claim
> > > to the ID Token when it is useful
> > >
> > > We discussed that the "sub" value
> must not
> > > change at key roll-over time
> > >
> > >
> > >
> > > Transient Subject Identifier Type
> > >
> > > At IIW, Davide Vaghetti talked about the need for a
> > > transient subject_type value, similar to that in SAML
> > >
> > > Mike and John encouraged him to write a
> specification for it
> > >
> > >
> > >
> > > Next Call
> > >
> > > The May 13th call is cancelled due EIC
> > >
> > > The next call is Thursday, May 23 at 7am Pacific Time
> > >
> > >
> > > _______________________________________________
> > > Openid-specs-ab mailing list
> > > Openid-specs-ab at lists.openid.net
> <mailto:Openid-specs-ab at lists.openid.net>
> > > http://lists.openid.net/mailman/listinfo/openid-specs-ab
> > >
> >
> > --
> > Davide Vaghetti
> > Consortium GARR
> > Tel: +390502213158
> > Mobile: +393357779542
> > Skype: daserzw
> >
>
>
>
> > _______________________________________________
> > Openid-specs-ab mailing list
> > Openid-specs-ab at lists.openid.net
> <mailto:Openid-specs-ab at lists.openid.net>
> > http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
> --
> Nikhef Room H155
> Science Park 105 Tel. +31-20-592 5102
> 1098 XG Amsterdam Fax +31-20-592 5155
> The Netherlands Email msalle at nikhef.nl
> <mailto:msalle at nikhef.nl>
> __ .. ... _._. .... ._ ... ._ ._.. ._.. .._..
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
--
Davide Vaghetti
Consortium GARR
Tel: +390502213158
Mobile: +393357779542
Skype: daserzw
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4136 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190530/e9cd22f9/attachment.p7s>
More information about the Openid-specs-ab
mailing list