[Openid-specs-ab] Review of openid-connect-4-identity-assurance-04

Jim Willeke jim at willeke.com
Mon Jun 17 17:40:31 UTC 2019


https://www.w3.org/2017/vc/WG/ is working on it and U-Por
<https://developer.uport.me/messages/verification>t has some data and
definitions.

Generally, it seems a Verifiable Claim is an assertion made by a
Third-party about a subject which is tamper-proof and whose authorship can
be cryptographically verified.

--
-jim
Jim Willeke


On Mon, Jun 17, 2019 at 1:10 PM Tom Jones via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Mike: I appreciate the reference to verified email and other subject
> supplied claims. In those cases the verifier is the RP client or OP as the
> case may be.
> What is missing AFAICT is the concept of third party verification, which
> is what is needed here. Extending verified to this case may, or may not, be
> a good idea.
> The current unmet problem of the verified claims is that, first of all,
> the {subject, client, whatever} needs to trust the verifier.
> I have been building a solution to that problem based on the oidc
> federation draft.
> This is a problem for which AFAICT no stds group has a solution.
> One existing model is the attestation server of the TPM or the network
> policy server in windows.
> would this group be prepared to deal with such a doc if i tried to create
> it?
> Does anyone else need such a solution and would like to work on it?
> Peace ..tom
>
>
> On Mon, Jun 17, 2019 at 9:14 AM Mike Jones <Michael.Jones at microsoft.com>
> wrote:
>
>> Use of "verified" in this context with this meaning is already existing
>> practice. For instance see the use of the "verified" term in the
>> "phone_number_verified" and "email_verified" claims from
>> https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims and
>> https://www.iana.org/assignments/jwt/jwt.xhtml#claims.
>>
>> We should continue using the same term in this context since it has the
>> same meaning. Inventing another term for the same thing would only cause
>> needless confusion.
>>
>> -- Mike
>> ------------------------------
>> *From:* Anthony Nadalin
>> *Sent:* Monday, June 17, 2019 5:42:35 PM
>> *To:* Tom Jones; Artifact Binding/Connect Working Group
>> *Cc:* Mike Jones; Torsten Lodderstedt
>> *Subject:* RE: [Openid-specs-ab] Review of
>> openid-connect-4-identity-assurance-04
>>
>>
>> If I understand the meaning of “verified” here I would say that
>> “registered claim” is a far better term, and gets away from the false sense
>> of “verified”
>>
>>
>>
>> *From:* Tom Jones <thomasclinganjones at gmail.com>
>> *Sent:* Sunday, June 16, 2019 12:51 PM
>> *To:* Artifact Binding/Connect Working Group <
>> openid-specs-ab at lists.openid.net>
>> *Cc:* Mike Jones <Michael.Jones at microsoft.com>; Torsten Lodderstedt <
>> torsten at lodderstedt.net>; Anthony Nadalin <tonynad at microsoft.com>
>> *Subject:* Re: [Openid-specs-ab] Review of
>> openid-connect-4-identity-assurance-04
>>
>>
>>
>> Ah Tony - the JWT definition seems good enough to me. Provide value can
>> be a complex structure like an address.
>>
>> Here is the definition in my glossary A statement by or about a
>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftcwiki.azurewebsites.net%2Findex.php%3Ftitle%3DClaim%23Full_Title_or_Meme&data=04%7C01%7CMichael.Jones%40microsoft.com%7C738191bfa76a4dcafab008d6f3320a2f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636963793587060048%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C-1&sdata=H%2BGm3BdBGqLnj15KUeP6xVxLViXDRBmHb2yDKdflB7Y%3D&reserved=0>Subject is
>> a claim. If there is some corroboration of the claim, it is called
>> a Validated claim.
>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftcwiki.azurewebsites.net%2Findex.php%3Ftitle%3DClaim%23Full_Title_or_Meme&data=04%7C01%7CMichael.Jones%40microsoft.com%7C738191bfa76a4dcafab008d6f3320a2f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636963793587070049%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C-1&sdata=%2BS7MFsmGx2mDkTWDCiZorn08wCm6MuQ7%2FE9uQe6cJ2w%3D&reserved=0>
>>
>> Here is the definition from Skeats  to call our for, or to publish,
>> pretty much the same meaning as the Latin word *clarmare*.
>>
>>
>>
>> the adjectives verified validated and registered should all work. I do
>> like the historical precedent for registered myself.
>>
>>
>> Peace ..tom
>>
>>
>>
>>
>>
>> On Sat, Jun 15, 2019 at 8:04 PM Anthony Nadalin via Openid-specs-ab <
>> openid-specs-ab at lists.openid.net> wrote:
>>
>> It's a very very poor definition, you need to look at the real definition
>> not a made up one
>>
>> Get Outlook for Android <https://aka.ms/ghei36>
>>
>>
>> ------------------------------
>>
>> *From:* Mike Jones
>> *Sent:* Saturday, June 15, 2019 7:37:55 AM
>> *To:* Torsten Lodderstedt; Anthony Nadalin
>> *Cc:* Artifact Binding/Connect Working Group
>> *Subject:* RE: Review of openid-connect-4-identity-assurance-04
>>
>>
>>
>> The normative definition of “Claim” for JWTs is this one from the JWT
>> spec at https://tools.ietf.org/html/rfc7519#section-2
>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc7519%23section-2&data=04%7C01%7CMichael.Jones%40microsoft.com%7C738191bfa76a4dcafab008d6f3320a2f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636963793587070049%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C-1&sdata=K0G5SRStAquN9NSSxZlOB1ieGLYXwXuNkm9fIG9Qi1Y%3D&reserved=0>
>> :
>>
>>
>>
>>    Claim
>>
>>       A piece of information asserted about a subject.  A claim is
>>
>>       represented as a name/value pair consisting of a Claim Name and a
>>
>>       Claim Value.
>>
>>
>>
>> It says nothing about doubt – just that the information was asserted.
>> Therefore, I continue to agree that Torsten’s suggested identifier
>> “verified_claim” is the right one.
>>
>>
>>
>>                                                        -- Mike
>>
>>
>>
>> *From:* Torsten Lodderstedt <torsten at lodderstedt.net>
>> *Sent:* Saturday, June 15, 2019 12:52 AM
>> *To:* Anthony Nadalin <tonynad at microsoft.com>
>> *Cc:* Mike Jones <Michael.Jones at microsoft.com>; Artifact Binding/Connect
>> Working Group <openid-specs-ab at lists.openid.net>
>> *Subject:* Re: Review of openid-connect-4-identity-assurance-04
>>
>>
>>
>>
>>
>>
>> Am 14.06.2019 um 18:48 schrieb Anthony Nadalin <tonynad at microsoft.com>:
>>
>> It’s not a claim then, it’s a statement, it does not matter who has the
>> claim, the issuer or the beholder, it’s still in doubt. I don’t understand
>> enough of the “verified” statement since the language is vague in the
>> specification, is it the provenance of the data or the truth of the data ?
>>
>>
>>
>> I would say first of all truth but backed by data about the provenance
>>
>>
>>
>> Happy to incorporate your text proposals to improve the spec language
>>
>>
>>
>>
>>
>> *From:* Mike Jones <Michael.Jones at microsoft.com>
>> *Sent:* Friday, June 14, 2019 9:45 AM
>> *To:* Anthony Nadalin <tonynad at microsoft.com>; Artifact Binding/Connect
>> Working Group <openid-specs-ab at lists.openid.net>; Torsten Lodderstedt <
>> torsten at lodderstedt.net>
>> *Subject:* Re: Review of openid-connect-4-identity-assurance-04
>>
>>
>>
>> A claim is a statement made by the issuer. A verified claim is one with
>> evidence backing it beyond the veracity of the issuer.
>>
>> Doubt or belief are both properties of the beholder - not the issuer.
>>
>> -- Mike
>> ------------------------------
>>
>> *From:* Anthony Nadalin
>> *Sent:* Friday, June 14, 2019 6:44:29 PM
>> *To:* Artifact Binding/Connect Working Group; Torsten Lodderstedt
>> *Cc:* Mike Jones
>> *Subject:* RE: Review of openid-connect-4-identity-assurance-04
>>
>>
>>
>> A claim is something in doubt, how can you have a verified claim?
>>
>>
>>
>> *From:* Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> *On
>> Behalf Of *Mike Jones via Openid-specs-ab
>> *Sent:* Friday, June 14, 2019 8:42 AM
>> *To:* Torsten Lodderstedt <torsten at lodderstedt.net>
>> *Cc:* Mike Jones <Michael.Jones at microsoft.com>;
>> openid-specs-ab at lists.openid.net
>> *Subject:* Re: [Openid-specs-ab] Review of
>> openid-connect-4-identity-assurance-04
>>
>>
>>
>> I agree with "verified_claims".
>>
>> Thanks!
>>
>> -- Mike
>> ------------------------------
>>
>> *From:* Torsten Lodderstedt <torsten at lodderstedt.net>
>> *Sent:* Friday, June 14, 2019 5:47:17 PM
>> *To:* Mike Jones
>> *Cc:* Daniel Fett; openid-specs-ab at lists.openid.net
>> *Subject:* Re: Review of openid-connect-4-identity-assurance-04
>>
>>
>>
>> Hi Mike,
>>
>> Thanks a lot for your substantial feedback.
>>
>> While I'm incorporating it, I would like to sort out one question:
>>
>> > On 1. Jun 2019, at 02:16, Mike Jones <Michael.Jones at microsoft.com>
>> wrote:
>> >
>> > All Sections:  Generalize kinds of verified claims.  The most important
>> issue is to generalize the goal of the document from defining how to use
>> “verified person data” to defining how to use “verified data”.  This work
>> isn’t happening in a vacuum.  There are other efforts to define
>> representations of verified claims in the industry, including
>> https://w3c.github.io/vc-data-model/
>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fvc-data-model%2F&data=04%7C01%7CMichael.Jones%40microsoft.com%7C738191bfa76a4dcafab008d6f3320a2f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636963793587080034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C-1&sdata=%2BlsNcGKOk2Hn3axOpeovB1Y9GDaDdiRJaUJb2PnEaAI%3D&reserved=0>,
>> that take this more general approach, but propose much more complicated
>> data representations that are not based on JWTs.  It would be highly
>> beneficial to have a simple general JWT-based “verified data”
>> representation that is general-purpose.  Indeed, that’s the possibility
>> that excites me about this work.  Don’t get me wrong – I believe that all
>> the particulars for verified people data can and should remain.  The main
>> concrete change needed is to rename “verified_person_data” to
>> “verified_data”.
>>
>> I think “verified_claims” would fit even better. What do you think?
>>
>> best regards,
>> Torsten.
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.openid.net%2Fmailman%2Flistinfo%2Fopenid-specs-ab&data=04%7C01%7CMichael.Jones%40microsoft.com%7C738191bfa76a4dcafab008d6f3320a2f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636963793587080034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C-1&sdata=2K8aHamOCNr2QwvT3VlpdSN1%2B2M56O5EZ52mCPr78xk%3D&reserved=0>
>>
>> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190617/55734148/attachment-0001.html>


More information about the Openid-specs-ab mailing list