<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Helvetica, Arial, sans-serif">I still like the idea of
'schema=poco' and then the schema is defined :)</font><br>
<br>
On 9/20/11 6:57 PM, John Bradley wrote:
<blockquote
cite="mid:AB37BB49-4743-4FDB-BCF7-3D1286D109F9@ve7jtb.com"
type="cite"><base href="x-msg://1498/">I took collision resistant
namespace to be URI (including URN).
<div><br>
</div>
<div>I don't know that for user-info endpoint interoperability we
necessarily want to go as far as JWT where almost anything is
allowed.</div>
<div><br>
</div>
<div>For openID connect we should require or strongly recommend
URI for claims. Otherwise we get IdP defining different
semantics for the same claim names.</div>
<div><br>
</div>
<div>John B.</div>
<div><br>
<div>
<div>On 2011-09-20, at 7:15 PM, Mike Jones wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite"><span class="Apple-style-span"
style="border-collapse: separate; font-family: Helvetica;
font-style: normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height: normal;
orphans: 2; text-align: -webkit-auto; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-border-horizontal-spacing: 0px;
-webkit-border-vertical-spacing: 0px;
-webkit-text-decorations-in-effect: none;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width:
0px; font-size: medium; ">
<div link="blue" vlink="purple" lang="EN-US">
<div class="WordSection1" style="page: WordSection1; ">
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">Actually,
claim names need not be URIs. See<span
class="Apple-converted-space"> </span><a
moz-do-not-send="true"
href="http://self-issued.info/docs/draft-jones-json-web-token-05.html#anchor4"
style="color: blue; text-decoration: underline; ">Section
4</a><span class="Apple-converted-space"> </span>the
JWT spec, which allows the use of any of reserved
claim names, public claim names (which are to be
taken from a collision-resistant namespace), and
private claim names (which can be any string at
all). The UserInfo claim names are actually an
example of the use of private claim names. Others
could be used as well besides those defined by the
JWT and OpenID Connect Messages specs.<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">
-- Mike<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">-----Original
Message-----<br>
From: <a moz-do-not-send="true"
href="mailto:openid-specs-ab-bounces@lists.openid.net">openid-specs-ab-bounces@lists.openid.net</a>
[<a class="moz-txt-link-freetext" href="mailto:openid-specs-ab-bounces@lists.openid.net">mailto:openid-specs-ab-bounces@lists.openid.net</a>] On
Behalf Of John Bradley<br>
Sent: Tuesday, September 20, 2011 2:44 PM<br>
To: Roland Hedberg<br>
Cc: <a moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
Subject: Re: [Openid-specs-ab] Reserved member
definitions</div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">The
schema is extended by using claims.<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">All
claim names MUST be URI.<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">Just
a small number of non URI strings are reserved in
the schema for common claims.<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">So
yes you could use foaf or eduperson URI.<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">Perhaps
that needs clarification.<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">John<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">On
2011-09-20, at 3:39 AM, Roland Hedberg wrote:<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">><o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">>
19 sep 2011 kl. 23:54 skrev John Bradley:<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">><o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">>>
I am sympathetic to the position.<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">>><o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">>>
However without namespace support in JSON, we just
end up adding extra characters to the reserved names
for not much more than formal correctness.<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">><o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">>
Yeah, that is a serious limitation to JSON.<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">><o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">>>
The decision was to go for a fixed schema (implied
namespace) and fully namespaces claims.<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">><o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">>
What do you mean with 'fully namespaces claims' ?<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">><o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">>>
Perhaps being clear that all of the reserved claim
names have a implied namespace that is not included
in the JSON itself.<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">><o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">>
That would be important in the future.<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">><o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">>
OpenID Connect comes from OpenID which I have
understood as being geared towards individuals
maintaining their net identity.<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">>
I've been think about what it would take to make
OpenID Connect usable in an organization context or
for that matter in the context of federations of
organizations. Something which I'd like to see as in
scope.<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">><o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">>
And the first thing I stumble across is the lack
of/limited extensibility of the schema.<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">>
This is a major limitation.<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">>
There is just a matter of course that there isn't an
organization out there that doesn't have at least
one attribute that is specific to them (at least
they think it is) that they just have to have in an
identity provider for it to be usable in their
context.<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">>
So having an implied namespace for the OpenID
Connect attributes could we allow for 'fully
qualified' attributes from other namespaces ?<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">><o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">>
For instance:<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">><o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">>
{<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">>
"name": "Jane Doe"<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">>
"given_name": "Jane",<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">>
"family_name": "Doe",<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">>
"email": "<a moz-do-not-send="true"
href="mailto:janedoe@example.com" style="color:
blue; text-decoration: underline; "><span
style="color: windowtext; text-decoration: none;
">janedoe@example.com</span></a>",<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">>
"picture": "<a moz-do-not-send="true"
href="http://example.com/janedoe/me.jpg"
style="color: blue; text-decoration: underline; "><span
style="color: windowtext; text-decoration: none;
">http://example.com/janedoe/me.jpg</span></a>",<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">>
"<a moz-do-not-send="true"
href="http://xmlns.com/foaf/0.1/title"
style="color: blue; text-decoration: underline; "><span
style="color: windowtext; text-decoration: none;
">http://xmlns.com/foaf/0.1/title</span></a>":
"Ms"<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">>
}<o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">><o:p></o:p></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 11pt; font-family: Calibri, sans-serif; ">>
-- Roland<o:p></o:p></div>
</div>
</div>
</span></blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</body>
</html>