[Openid-specs-ab] Issue #970: Standard - ID Token incorrectly specifies the value 0 (openid/connect)

Epek Limited issues-reply at bitbucket.org
Sun May 3 21:36:50 UTC 2015

New issue 970: Standard -  ID Token incorrectly specifies the value 0

Epek Limited:

The specs[0.0] say that *authentication using a long-lived browser cookie is one example where the use of "level 0" is appropriate*. This is **wrong** because a long lived browser cookie is actually level 1 based on ISO29115. It also specifies that level 0 doesn't meet the ISO level 1[0] but you can't go lower than Level 1.
  For example, at LoA1, a MAC address may satisfy a device authentication requirement. There is little confidence that another device will not be able to claim the same MAC address. Therefore a long lived cookie is same or even stronger than a MAC address which can be claimed easier. I don't see any good reason to invent a new level(level 0) with the same specs as level 1.
  The specifications also miss a reference/url to the actual ISO29115 specification so I've included here a copy I've found[1]. 

[0.0] http://openid.net/specs/openid-connect-messages-1_0-20.html#id_token

[0] The value "0" indicates the End-User authentication did not meet the requirements of ISO/IEC 29115 level 1

[1] https://www.oasis-open.org/committees/download.php/44751/285-17Attach1.pdf

More information about the Openid-specs-ab mailing list