[Openid-specs-ab] privacy & acr

Anthony Nadalin tonynad at microsoft.com
Wed Oct 30 02:43:38 UTC 2013


>I would like to find a way to simplify it but we are getting a bit late in the process. 

It's never too late to make the right changes

-----Original Message-----
From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of John Bradley
Sent: Tuesday, October 29, 2013 6:03 PM
To: Nat Sakimura
Cc: <openid-specs-ab at lists.openid.net>
Subject: Re: [Openid-specs-ab] privacy & acr

Yes that is perhaps a better way to put it.

I would like to find a way to simplify it but we are getting a bit late in the process. 

The option would be to scrap the claims way to ask for required and let people define new acr values that require an exact mach  eg loa1-exact-match or something like that.
Adding another query parameter is too ugly.

In general the match parameter for authn context is supposed to control if you are allowed to return better than or exact etc however that never really got used properly as everyone sends exact as the match and then get returned whatever the IdP feels like, on the assumption that if it could not match the request exactly the RP will figure it out from the response.

John B.


On Oct 29, 2013, at 9:09 PM, Nat Sakimura <sakimura at gmail.com> wrote:

> RP asking for only LoA 1 and not higher with PPID may not want a LoA2 non-PPID identity as that would require them to go under full PIA. In such a case, the RP may want the request to fail if this acr cannot be fulfilled. 
> 
> So, it is not so much for privacy protection but the avoidance of privacy compliance cost. 
> 
> Cheers, 
> 
> =nat via iPhone
> 
> Oct 30, 2013 4:42、Brian Campbell <bcampbell at pingidentity.com> のメッセージ:
> 
>> Yesterday on the call John said that there are privacy reasons to want to be able to request "acr" as an essential claim and return an error if it fails.
>> 
>> Can you explain that again John? Who's privacy (I assume the end user's) about what (how/when they authenticated) is being kept from who? 
>> 
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab



More information about the Openid-specs-ab mailing list