[Openid-specs-ab] Review of openid-connect-4-identity-assurance-04

Tom Jones thomasclinganjones at gmail.com
Mon Jun 17 19:21:52 UTC 2019


careful - there is a distinction between verifiable and verified.  I hope
that this discussion is about verified claims.
I can't see how a verifiable claim could be part of an oidc interchange.
Peace ..tom


On Mon, Jun 17, 2019 at 10:41 AM Jim Willeke <jim at willeke.com> wrote:

> https://www.w3.org/2017/vc/WG/ is working on it and U-Por
> <https://developer.uport.me/messages/verification>t has some data and
> definitions.
>
> Generally, it seems a Verifiable Claim is an assertion made by a
> Third-party about a subject which is tamper-proof and whose authorship can
> be cryptographically verified.
>
> --
> -jim
> Jim Willeke
>
>
> On Mon, Jun 17, 2019 at 1:10 PM Tom Jones via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
>> Mike: I appreciate the reference to verified email and other subject
>> supplied claims. In those cases the verifier is the RP client or OP as the
>> case may be.
>> What is missing AFAICT is the concept of third party verification, which
>> is what is needed here. Extending verified to this case may, or may not, be
>> a good idea.
>> The current unmet problem of the verified claims is that, first of all,
>> the {subject, client, whatever} needs to trust the verifier.
>> I have been building a solution to that problem based on the oidc
>> federation draft.
>> This is a problem for which AFAICT no stds group has a solution.
>> One existing model is the attestation server of the TPM or the network
>> policy server in windows.
>> would this group be prepared to deal with such a doc if i tried to create
>> it?
>> Does anyone else need such a solution and would like to work on it?
>> Peace ..tom
>>
>>
>> On Mon, Jun 17, 2019 at 9:14 AM Mike Jones <Michael.Jones at microsoft.com>
>> wrote:
>>
>>> Use of "verified" in this context with this meaning is already existing
>>> practice. For instance see the use of the "verified" term in the
>>> "phone_number_verified" and "email_verified" claims from
>>> https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
>>> and https://www.iana.org/assignments/jwt/jwt.xhtml#claims.
>>>
>>> We should continue using the same term in this context since it has the
>>> same meaning. Inventing another term for the same thing would only cause
>>> needless confusion.
>>>
>>> -- Mike
>>> ------------------------------
>>> *From:* Anthony Nadalin
>>> *Sent:* Monday, June 17, 2019 5:42:35 PM
>>> *To:* Tom Jones; Artifact Binding/Connect Working Group
>>> *Cc:* Mike Jones; Torsten Lodderstedt
>>> *Subject:* RE: [Openid-specs-ab] Review of
>>> openid-connect-4-identity-assurance-04
>>>
>>>
>>> If I understand the meaning of “verified” here I would say that
>>> “registered claim” is a far better term, and gets away from the false sense
>>> of “verified”
>>>
>>>
>>>
>>> *From:* Tom Jones <thomasclinganjones at gmail.com>
>>> *Sent:* Sunday, June 16, 2019 12:51 PM
>>> *To:* Artifact Binding/Connect Working Group <
>>> openid-specs-ab at lists.openid.net>
>>> *Cc:* Mike Jones <Michael.Jones at microsoft.com>; Torsten Lodderstedt <
>>> torsten at lodderstedt.net>; Anthony Nadalin <tonynad at microsoft.com>
>>> *Subject:* Re: [Openid-specs-ab] Review of
>>> openid-connect-4-identity-assurance-04
>>>
>>>
>>>
>>> Ah Tony - the JWT definition seems good enough to me. Provide value can
>>> be a complex structure like an address.
>>>
>>> Here is the definition in my glossary A statement by or about a
>>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftcwiki.azurewebsites.net%2Findex.php%3Ftitle%3DClaim%23Full_Title_or_Meme&data=04%7C01%7CMichael.Jones%40microsoft.com%7C738191bfa76a4dcafab008d6f3320a2f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636963793587060048%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C-1&sdata=H%2BGm3BdBGqLnj15KUeP6xVxLViXDRBmHb2yDKdflB7Y%3D&reserved=0>Subject is
>>> a claim. If there is some corroboration of the claim, it is called
>>> a Validated claim.
>>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftcwiki.azurewebsites.net%2Findex.php%3Ftitle%3DClaim%23Full_Title_or_Meme&data=04%7C01%7CMichael.Jones%40microsoft.com%7C738191bfa76a4dcafab008d6f3320a2f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636963793587070049%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C-1&sdata=%2BS7MFsmGx2mDkTWDCiZorn08wCm6MuQ7%2FE9uQe6cJ2w%3D&reserved=0>
>>>
>>> Here is the definition from Skeats  to call our for, or to publish,
>>> pretty much the same meaning as the Latin word *clarmare*.
>>>
>>>
>>>
>>> the adjectives verified validated and registered should all work. I do
>>> like the historical precedent for registered myself.
>>>
>>>
>>> Peace ..tom
>>>
>>>
>>>
>>>
>>>
>>> On Sat, Jun 15, 2019 at 8:04 PM Anthony Nadalin via Openid-specs-ab <
>>> openid-specs-ab at lists.openid.net> wrote:
>>>
>>> It's a very very poor definition, you need to look at the real
>>> definition not a made up one
>>>
>>> Get Outlook for Android <https://aka.ms/ghei36>
>>>
>>>
>>> ------------------------------
>>>
>>> *From:* Mike Jones
>>> *Sent:* Saturday, June 15, 2019 7:37:55 AM
>>> *To:* Torsten Lodderstedt; Anthony Nadalin
>>> *Cc:* Artifact Binding/Connect Working Group
>>> *Subject:* RE: Review of openid-connect-4-identity-assurance-04
>>>
>>>
>>>
>>> The normative definition of “Claim” for JWTs is this one from the JWT
>>> spec at https://tools.ietf.org/html/rfc7519#section-2
>>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc7519%23section-2&data=04%7C01%7CMichael.Jones%40microsoft.com%7C738191bfa76a4dcafab008d6f3320a2f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636963793587070049%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C-1&sdata=K0G5SRStAquN9NSSxZlOB1ieGLYXwXuNkm9fIG9Qi1Y%3D&reserved=0>
>>> :
>>>
>>>
>>>
>>>    Claim
>>>
>>>       A piece of information asserted about a subject.  A claim is
>>>
>>>       represented as a name/value pair consisting of a Claim Name and a
>>>
>>>       Claim Value.
>>>
>>>
>>>
>>> It says nothing about doubt – just that the information was asserted.
>>> Therefore, I continue to agree that Torsten’s suggested identifier
>>> “verified_claim” is the right one.
>>>
>>>
>>>
>>>                                                        -- Mike
>>>
>>>
>>>
>>> *From:* Torsten Lodderstedt <torsten at lodderstedt.net>
>>> *Sent:* Saturday, June 15, 2019 12:52 AM
>>> *To:* Anthony Nadalin <tonynad at microsoft.com>
>>> *Cc:* Mike Jones <Michael.Jones at microsoft.com>; Artifact
>>> Binding/Connect Working Group <openid-specs-ab at lists.openid.net>
>>> *Subject:* Re: Review of openid-connect-4-identity-assurance-04
>>>
>>>
>>>
>>>
>>>
>>>
>>> Am 14.06.2019 um 18:48 schrieb Anthony Nadalin <tonynad at microsoft.com>:
>>>
>>> It’s not a claim then, it’s a statement, it does not matter who has the
>>> claim, the issuer or the beholder, it’s still in doubt. I don’t understand
>>> enough of the “verified” statement since the language is vague in the
>>> specification, is it the provenance of the data or the truth of the data ?
>>>
>>>
>>>
>>> I would say first of all truth but backed by data about the provenance
>>>
>>>
>>>
>>> Happy to incorporate your text proposals to improve the spec language
>>>
>>>
>>>
>>>
>>>
>>> *From:* Mike Jones <Michael.Jones at microsoft.com>
>>> *Sent:* Friday, June 14, 2019 9:45 AM
>>> *To:* Anthony Nadalin <tonynad at microsoft.com>; Artifact Binding/Connect
>>> Working Group <openid-specs-ab at lists.openid.net>; Torsten Lodderstedt <
>>> torsten at lodderstedt.net>
>>> *Subject:* Re: Review of openid-connect-4-identity-assurance-04
>>>
>>>
>>>
>>> A claim is a statement made by the issuer. A verified claim is one with
>>> evidence backing it beyond the veracity of the issuer.
>>>
>>> Doubt or belief are both properties of the beholder - not the issuer.
>>>
>>> -- Mike
>>> ------------------------------
>>>
>>> *From:* Anthony Nadalin
>>> *Sent:* Friday, June 14, 2019 6:44:29 PM
>>> *To:* Artifact Binding/Connect Working Group; Torsten Lodderstedt
>>> *Cc:* Mike Jones
>>> *Subject:* RE: Review of openid-connect-4-identity-assurance-04
>>>
>>>
>>>
>>> A claim is something in doubt, how can you have a verified claim?
>>>
>>>
>>>
>>> *From:* Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> *On
>>> Behalf Of *Mike Jones via Openid-specs-ab
>>> *Sent:* Friday, June 14, 2019 8:42 AM
>>> *To:* Torsten Lodderstedt <torsten at lodderstedt.net>
>>> *Cc:* Mike Jones <Michael.Jones at microsoft.com>;
>>> openid-specs-ab at lists.openid.net
>>> *Subject:* Re: [Openid-specs-ab] Review of
>>> openid-connect-4-identity-assurance-04
>>>
>>>
>>>
>>> I agree with "verified_claims".
>>>
>>> Thanks!
>>>
>>> -- Mike
>>> ------------------------------
>>>
>>> *From:* Torsten Lodderstedt <torsten at lodderstedt.net>
>>> *Sent:* Friday, June 14, 2019 5:47:17 PM
>>> *To:* Mike Jones
>>> *Cc:* Daniel Fett; openid-specs-ab at lists.openid.net
>>> *Subject:* Re: Review of openid-connect-4-identity-assurance-04
>>>
>>>
>>>
>>> Hi Mike,
>>>
>>> Thanks a lot for your substantial feedback.
>>>
>>> While I'm incorporating it, I would like to sort out one question:
>>>
>>> > On 1. Jun 2019, at 02:16, Mike Jones <Michael.Jones at microsoft.com>
>>> wrote:
>>> >
>>> > All Sections:  Generalize kinds of verified claims.  The most
>>> important issue is to generalize the goal of the document from defining how
>>> to use “verified person data” to defining how to use “verified data”.  This
>>> work isn’t happening in a vacuum.  There are other efforts to define
>>> representations of verified claims in the industry, including
>>> https://w3c.github.io/vc-data-model/
>>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fvc-data-model%2F&data=04%7C01%7CMichael.Jones%40microsoft.com%7C738191bfa76a4dcafab008d6f3320a2f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636963793587080034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C-1&sdata=%2BlsNcGKOk2Hn3axOpeovB1Y9GDaDdiRJaUJb2PnEaAI%3D&reserved=0>,
>>> that take this more general approach, but propose much more complicated
>>> data representations that are not based on JWTs.  It would be highly
>>> beneficial to have a simple general JWT-based “verified data”
>>> representation that is general-purpose.  Indeed, that’s the possibility
>>> that excites me about this work.  Don’t get me wrong – I believe that all
>>> the particulars for verified people data can and should remain.  The main
>>> concrete change needed is to rename “verified_person_data” to
>>> “verified_data”.
>>>
>>> I think “verified_claims” would fit even better. What do you think?
>>>
>>> best regards,
>>> Torsten.
>>>
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>> <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.openid.net%2Fmailman%2Flistinfo%2Fopenid-specs-ab&data=04%7C01%7CMichael.Jones%40microsoft.com%7C738191bfa76a4dcafab008d6f3320a2f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636963793587080034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C-1&sdata=2K8aHamOCNr2QwvT3VlpdSN1%2B2M56O5EZ52mCPr78xk%3D&reserved=0>
>>>
>>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190617/57de2bf1/attachment-0001.html>


More information about the Openid-specs-ab mailing list