[Openid-specs-ab] Review of openid-connect-4-identity-assurance-04

Mike Jones Michael.Jones at microsoft.com
Mon Jun 17 16:14:07 UTC 2019


Use of "verified" in this context with this meaning is already existing practice. For instance see the use of the "verified" term in the "phone_number_verified" and "email_verified" claims from https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims and https://www.iana.org/assignments/jwt/jwt.xhtml#claims.

We should continue using the same term in this context since it has the same meaning. Inventing another term for the same thing would only cause needless confusion.

-- Mike
________________________________
From: Anthony Nadalin
Sent: Monday, June 17, 2019 5:42:35 PM
To: Tom Jones; Artifact Binding/Connect Working Group
Cc: Mike Jones; Torsten Lodderstedt
Subject: RE: [Openid-specs-ab] Review of openid-connect-4-identity-assurance-04

If I understand the meaning of “verified” here I would say that “registered claim” is a far better term, and gets away from the false sense of “verified”

From: Tom Jones <thomasclinganjones at gmail.com>
Sent: Sunday, June 16, 2019 12:51 PM
To: Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net>
Cc: Mike Jones <Michael.Jones at microsoft.com>; Torsten Lodderstedt <torsten at lodderstedt.net>; Anthony Nadalin <tonynad at microsoft.com>
Subject: Re: [Openid-specs-ab] Review of openid-connect-4-identity-assurance-04

Ah Tony - the JWT definition seems good enough to me. Provide value can be a complex structure like an address.
Here is the definition in my glossary A statement by or about a <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftcwiki.azurewebsites.net%2Findex.php%3Ftitle%3DClaim%23Full_Title_or_Meme&data=04%7C01%7CMichael.Jones%40microsoft.com%7C738191bfa76a4dcafab008d6f3320a2f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636963793587060048%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C-1&sdata=H%2BGm3BdBGqLnj15KUeP6xVxLViXDRBmHb2yDKdflB7Y%3D&reserved=0> Subject is a claim. If there is some corroboration of the claim, it is called a Validated claim.  <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftcwiki.azurewebsites.net%2Findex.php%3Ftitle%3DClaim%23Full_Title_or_Meme&data=04%7C01%7CMichael.Jones%40microsoft.com%7C738191bfa76a4dcafab008d6f3320a2f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636963793587070049%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C-1&sdata=%2BS7MFsmGx2mDkTWDCiZorn08wCm6MuQ7%2FE9uQe6cJ2w%3D&reserved=0>
Here is the definition from Skeats  to call our for, or to publish, pretty much the same meaning as the Latin word clarmare.

the adjectives verified validated and registered should all work. I do like the historical precedent for registered myself.

Peace ..tom


On Sat, Jun 15, 2019 at 8:04 PM Anthony Nadalin via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>> wrote:
It's a very very poor definition, you need to look at the real definition not a made up one
Get Outlook for Android<https://aka.ms/ghei36>

________________________________
From: Mike Jones
Sent: Saturday, June 15, 2019 7:37:55 AM
To: Torsten Lodderstedt; Anthony Nadalin
Cc: Artifact Binding/Connect Working Group
Subject: RE: Review of openid-connect-4-identity-assurance-04

The normative definition of “Claim” for JWTs is this one from the JWT spec at https://tools.ietf.org/html/rfc7519#section-2<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc7519%23section-2&data=04%7C01%7CMichael.Jones%40microsoft.com%7C738191bfa76a4dcafab008d6f3320a2f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636963793587070049%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C-1&sdata=K0G5SRStAquN9NSSxZlOB1ieGLYXwXuNkm9fIG9Qi1Y%3D&reserved=0>:

   Claim
      A piece of information asserted about a subject.  A claim is
      represented as a name/value pair consisting of a Claim Name and a
      Claim Value.

It says nothing about doubt – just that the information was asserted.  Therefore, I continue to agree that Torsten’s suggested identifier “verified_claim” is the right one.

                                                       -- Mike

From: Torsten Lodderstedt <torsten at lodderstedt.net<mailto:torsten at lodderstedt.net>>
Sent: Saturday, June 15, 2019 12:52 AM
To: Anthony Nadalin <tonynad at microsoft.com<mailto:tonynad at microsoft.com>>
Cc: Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>>; Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>>
Subject: Re: Review of openid-connect-4-identity-assurance-04



Am 14.06.2019 um 18:48 schrieb Anthony Nadalin <tonynad at microsoft.com<mailto:tonynad at microsoft.com>>:
It’s not a claim then, it’s a statement, it does not matter who has the claim, the issuer or the beholder, it’s still in doubt. I don’t understand enough of the “verified” statement since the language is vague in the specification, is it the provenance of the data or the truth of the data ?

I would say first of all truth but backed by data about the provenance

Happy to incorporate your text proposals to improve the spec language


From: Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>>
Sent: Friday, June 14, 2019 9:45 AM
To: Anthony Nadalin <tonynad at microsoft.com<mailto:tonynad at microsoft.com>>; Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>>; Torsten Lodderstedt <torsten at lodderstedt.net<mailto:torsten at lodderstedt.net>>
Subject: Re: Review of openid-connect-4-identity-assurance-04

A claim is a statement made by the issuer. A verified claim is one with evidence backing it beyond the veracity of the issuer.
Doubt or belief are both properties of the beholder - not the issuer.
-- Mike
________________________________
From: Anthony Nadalin
Sent: Friday, June 14, 2019 6:44:29 PM
To: Artifact Binding/Connect Working Group; Torsten Lodderstedt
Cc: Mike Jones
Subject: RE: Review of openid-connect-4-identity-assurance-04

A claim is something in doubt, how can you have a verified claim?

From: Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net>> On Behalf Of Mike Jones via Openid-specs-ab
Sent: Friday, June 14, 2019 8:42 AM
To: Torsten Lodderstedt <torsten at lodderstedt.net<mailto:torsten at lodderstedt.net>>
Cc: Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>>; openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Subject: Re: [Openid-specs-ab] Review of openid-connect-4-identity-assurance-04

I agree with "verified_claims".
Thanks!
-- Mike
________________________________
From: Torsten Lodderstedt <torsten at lodderstedt.net<mailto:torsten at lodderstedt.net>>
Sent: Friday, June 14, 2019 5:47:17 PM
To: Mike Jones
Cc: Daniel Fett; openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Subject: Re: Review of openid-connect-4-identity-assurance-04

Hi Mike,

Thanks a lot for your substantial feedback.

While I'm incorporating it, I would like to sort out one question:

> On 1. Jun 2019, at 02:16, Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>> wrote:
>
> All Sections:  Generalize kinds of verified claims.  The most important issue is to generalize the goal of the document from defining how to use “verified person data” to defining how to use “verified data”.  This work isn’t happening in a vacuum.  There are other efforts to define representations of verified claims in the industry, including https://w3c.github.io/vc-data-model/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fvc-data-model%2F&data=04%7C01%7CMichael.Jones%40microsoft.com%7C738191bfa76a4dcafab008d6f3320a2f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636963793587080034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C-1&sdata=%2BlsNcGKOk2Hn3axOpeovB1Y9GDaDdiRJaUJb2PnEaAI%3D&reserved=0>, that take this more general approach, but propose much more complicated data representations that are not based on JWTs.  It would be highly beneficial to have a simple general JWT-based “verified data” representation that is general-purpose.  Indeed, that’s the possibility that excites me about this work.  Don’t get me wrong – I believe that all the particulars for verified people data can and should remain.  The main concrete change needed is to rename “verified_person_data” to “verified_data”.

I think “verified_claims” would fit even better. What do you think?

best regards,
Torsten.

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.openid.net%2Fmailman%2Flistinfo%2Fopenid-specs-ab&data=04%7C01%7CMichael.Jones%40microsoft.com%7C738191bfa76a4dcafab008d6f3320a2f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636963793587080034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C-1&sdata=2K8aHamOCNr2QwvT3VlpdSN1%2B2M56O5EZ52mCPr78xk%3D&reserved=0>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190617/aaf62877/attachment-0001.html>


More information about the Openid-specs-ab mailing list