[Openid-specs-ab] Issue #970: Standard - 220.127.116.11. ID Token incorrectly specifies the value 0 (openid/connect)
issues-reply at bitbucket.org
Sun May 3 21:36:50 UTC 2015
New issue 970: Standard - 18.104.22.168. ID Token incorrectly specifies the value 0
The specs[0.0] say that *authentication using a long-lived browser cookie is one example where the use of "level 0" is appropriate*. This is **wrong** because a long lived browser cookie is actually level 1 based on ISO29115. It also specifies that level 0 doesn't meet the ISO level 1 but you can't go lower than Level 1.
For example, at LoA1, a MAC address may satisfy a device authentication requirement. There is little confidence that another device will not be able to claim the same MAC address. Therefore a long lived cookie is same or even stronger than a MAC address which can be claimed easier. I don't see any good reason to invent a new level(level 0) with the same specs as level 1.
The specifications also miss a reference/url to the actual ISO29115 specification so I've included here a copy I've found.
 The value "0" indicates the End-User authentication did not meet the requirements of ISO/IEC 29115 level 1
More information about the Openid-specs-ab