[Openid-specs-ab] Next steps: Extension ideas

Nat Sakimura sakimura at gmail.com
Fri May 10 09:58:37 UTC 2013


Now that the core connect is largely done, we may want to start discussing
a little bit about what we may want to do as the next steps.

I have three things in my mind.

1. granular purpose statement per claims
2. privacy level certified request object
3. link/rel metadata for the responses

1. granular purpose statement per claims
As of now, OpenID Connect has a facility to indicate the purpose of the use
for the entire request object. It should cover 80% of the cases, but
sometimes, some of the individual attribute request is not obvious why that
is needed. It will be beneficial to be able to show the user how the
individual claims are being used. It was discussed in the METI report that
was published today. (See
http://nat.sakimura.org/2013/05/10/info-label-win/ for
more details). It is possible that it becomes a part of new guideline in
Japan.

The implementation of it is simple. We just need to define the per claim
usage. It could go into individual claims as the "purpose" member.

2. privacy level certified request object

The idea is simple. The privacy commissioner or privacy trust framework
assessor signs the request object after determining that it is following
the privacy principles such as data minimization. Then, we may be able to
skip the consent dialogue. (Sending the notification should be coupled with
it.)

3.  link/rel metadata for the responses

Basically, something like
http://tools.ietf.org/html/draft-sakimura-oauth-meta-02

Any additional ideas welcome.

-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130510/b0ec046b/attachment.html>


More information about the Openid-specs-ab mailing list