<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>My interpretation of acr values is that they are an ordered, strongly ascending list of values like: 1,2,3,4 or bronze, silver, gold – each including the other semantically. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The meaning has to be defined somewhere. Maybe through NIST <a href="http://www.itl.nist.gov/lab/bulletns/bltnaug04.htm">http://www.itl.nist.gov/lab/bulletns/bltnaug04.htm</a> or ISO or a trust framework.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>NIST level of assurance 4 is including level 1.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thus it make no sense to have multiple values in acr. Arc=[bronze, gold] is the same as “gold”.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>We added amr later to be able to say more about the authentication than just a level.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> E.g. amr = [otp+hard, pwd] (otp hardware token and password was used to authenticate the user)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The meaning of this has to be defined between IdP and RP. (SAML authentication classes ?)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><a href="http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf">http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf</a><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Whether acr should be send or not if not asked for…<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I guess this is an exercise of a profile of openid connect.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I imagine that FICAM could have a profile that requires acr to always be asked for and always be delivered in the IdP’s response.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>-Axel<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> openid-specs-ab-bounces@lists.openid.net [mailto:openid-specs-ab-bounces@lists.openid.net] <b>On Behalf Of </b>Nat Sakimura<br><b>Sent:</b> Monday, June 03, 2013 11:24 AM<br><b>To:</b> Torsten Lodderstedt<br><b>Cc:</b> OpenId Connect List<br><b>Subject:</b> Re: [Openid-specs-ab] amr vs acr<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Yes, that's the idea. OP will choose an acr (probably the lowest) value that fits one of the acr values that the RP specified. <o:p></o:p></p><div><p class=MsoNormal>The reason that I can think / remember of are: <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>1. RP will probably not understand the values that it did not ask for. <o:p></o:p></p></div><div><p class=MsoNormal>2. It is possible that returning multiple acr may expose the OP to unnecessary liability risk. <o:p></o:p></p></div><div><p class=MsoNormal>3. Returning many values are leaking information. <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>My caution against amr is that the values are not well defined - it has no repository. It can be very generic like 'otp' whose security characteristics varies widely, but RPs are prone to make a mistake in its risk evaluation, etc. For amr to be useful, it has to have common understanding on the security characteristics of each values and the trust framework behind it. Once that is defined, then a sophisticated RP can use it as an input to their own risk evaluation of the transaction, which is good. But at the same time, a simple RP may go awfully wrong by using the value without deeply thinking about its meaning. <o:p></o:p></p></div></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>2013/6/3 Torsten Lodderstedt <<a href="mailto:torsten@lodderstedt.net" target="_blank">torsten@lodderstedt.net</a>><o:p></o:p></p><div><p>Hi Nat,<o:p></o:p></p><p>we traditionally indicate all authentication classes fullfilled by a particular session/login transaction to our RPs, no matter whether the RP requested a certain class or not. We would like to keep it that way.<o:p></o:p></p><p>Having said that, I would like to understand how you (and the WG) envision the usage of acrs. Does an acr response only make sense, if the RP explicitely requested and or more acrs? So is the acr only used to confirm the fullfillment of a RP's requirement to a certain login transaction?<o:p></o:p></p><p>regards,<br>Torsten.<o:p></o:p></p><p>Am 03.06.2013 01:04, schrieb Nat Sakimura:<o:p></o:p></p><div><div><blockquote style='border:none;border-left:solid #1010FF 1.5pt;padding:0cm 0cm 0cm 4.0pt;margin-left:3.75pt;margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>Torsten, <o:p></o:p></p><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>What is your use case for multi valued acr response? <o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>FYI, a client can 'request' multiple acr values. <o:p></o:p></p></div><div><p class=MsoNormal>The server, if it can fulfill, picks one and responds. <o:p></o:p></p></div></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>2013/6/1 Torsten Lodderstedt <<a href="mailto:torsten@lodderstedt.net" target="_blank">torsten@lodderstedt.net</a>><o:p></o:p></p><div><div><p class=MsoNormal>Hi Mike,<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>can you still remember the arguments? I couldn't find a note about this discussion in the respective minutes (<span style='font-size:11.5pt'><a href="http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20130304/003231.html" target="_blank">http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20130304/003231.html</a>).</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.5pt'> </span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.5pt'>regards,</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.5pt'>Torsten.</span><o:p></o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><br>Am 01.06.2013 um 15:25 schrieb Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>>:<o:p></o:p></p></div><div><div><blockquote style='border:none;border-left:solid #1010FF 1.5pt;padding:0cm 0cm 0cm 4.0pt;margin-left:3.75pt;margin-top:5.0pt;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Having a multi-valued “acr” was what the issue originally proposed. John, Nat, and I think Tony all argued in the March 4<sup>th</sup> call that that was the wrong thing to do. They convinced me that they’re right.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> -- Mike</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><strong><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></strong><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Torsten Lodderstedt [<a href="mailto:torsten@lodderstedt.net" target="_blank">mailto:torsten@lodderstedt.net</a>] <br><strong><span style='font-family:"Tahoma","sans-serif"'>Sent:</span></strong> Friday, May 31, 2013 11:26 PM<br><strong><span style='font-family:"Tahoma","sans-serif"'>To:</span></strong> Mike Jones<br><strong><span style='font-family:"Tahoma","sans-serif"'>Cc:</span></strong> John Bradley; OpenId Connect List<br><strong><span style='font-family:"Tahoma","sans-serif"'>Subject:</span></strong> Re: [Openid-specs-ab] amr vs acr</span><o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Hi,<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>seems no one is really comfortable with the current design. Why not drop amr and make acr a multi-value?<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>regards,<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Torsten.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><br>Am 01.06.2013 um 03:55 schrieb Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>>:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>That aligns with my thinking as well.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><strong><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></strong><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> John Bradley [<a href="mailto:ve7jtb@ve7jtb.com" target="_blank">mailto:ve7jtb@ve7jtb.com</a>] <br><strong><span style='font-family:"Tahoma","sans-serif"'>Sent:</span></strong> Friday, May 31, 2013 6:54 PM<br><strong><span style='font-family:"Tahoma","sans-serif"'>To:</span></strong> Mike Jones<br><strong><span style='font-family:"Tahoma","sans-serif"'>Cc:</span></strong> Nat Sakimura; OpenId Connect List<br><strong><span style='font-family:"Tahoma","sans-serif"'>Subject:</span></strong> Re: [Openid-specs-ab] amr vs acr</span><o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>amr is something people think they want, but it winds up being too inflexible for any real use. Mostly it is token venders that push it. Once an IdP starts saying the user was authenticated wit brand x token or card it is too difficult to keep a federation in sync unless it is quite small. <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>act is a good level of abstraction and can cover all the real use cases I know of. <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On the other hand amr will let people learn the mistakes of SAML over again. <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>It is not the end of the world to have it as an option. <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br>Sent from my iPhone<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><br>On 2013-05-31, at 10:19 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>> wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I disagree with the MUSTs. We already have language in place saying that if claims aren’t understood, they should be ignored, so there’s no actual problem. (Were there a problem, it would apply to “acr” as well.)</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I could see going as far as saying, in both “acr” and “amr” that “The definition of particular values to be used in the </span><span style='font-size:11.0pt;font-family:"Courier New";color:#1F497D'>acr/amr</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> Claim is beyond the scope of this specification. Parties using this claim will need to agree on the meanings of the values used for it to be useful to them.”</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> -- Mike</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><strong><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></strong><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Nat Sakimura [<a href="mailto:sakimura@gmail.com" target="_blank">mailto:sakimura@gmail.com</a>] <br><strong><span style='font-family:"Tahoma","sans-serif"'>Sent:</span></strong> Friday, May 31, 2013 6:06 PM<br><strong><span style='font-family:"Tahoma","sans-serif"'>To:</span></strong> Mike Jones<br><strong><span style='font-family:"Tahoma","sans-serif"'>Cc:</span></strong> Torsten Lodderstedt; OpenId Connect List<br><strong><span style='font-family:"Tahoma","sans-serif"'>Subject:</span></strong> Re: [Openid-specs-ab] amr vs acr</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Ah, that's the call in the morning of the JICS that you did in the 11th floor of NII. <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I came in late, sitting at a different table that hearing to the call was a bit hard but did not mind as I was very much distracted by various things to be dealt with JICS. <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I remember talking about changing 1,2,3,4 as it became non-compliant to the RFC, as well as arguing against conflating authentication method with the authentication class, on the basis that authentication method by itself is useless and harmful, as in the previous mail. I mistakingly thought that I have killed the idea of amr, which apparently was not. <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Unfortunately, the discussion is not recorded in <a href="http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20130304/003231.html" target="_blank">http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20130304/003231.html</a> . <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Probably, we should add some warning text to amr then. At the end of the definition of arm, how about adding the following? <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>When using amr, the RP and OP MUST define the common context including the meaning, security characteristics, and the compliance requirement for using it and the RP MUST be able to evaluate the values according to the defined context. <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>That would mitigate my worries. <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>2013/6/1 Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>><o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>This was one of the two open issues discussed on the 4-Mar-13 working group call. You were on that call, according to the minutes. We had a fairly extensive discussion about the meaning of “acr” and the right way to return information about authentication methods used. Originally the request was to allow multi-valued “acr” values. There was a use case where an implementation wanted to communicate the actual methods used such as “password”, “OTP”, “code in text message”, etc. and I’d originally advocated for letting “acr” be multi-valued, just like PAPE did. John, Tony, and I think you convinced us that that conflating classes with methods would create more problems than it would solve and that it was better to define an optional claim for returning an array of methods used, when needed.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>On that call we also deleted the LoA values “1”, “2”, “3”, and “4” since as part of that discussion, it came up that they are prohibited by RFC 6711. Instead, we replaced the example values used with real values from InCommon - urn:mace:incommon:iap:bronze and urn:mace:incommon:iap:silver.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I don’t think that we should require “acr” when “amr” is used, because there may not be a class, even though there are methods. It depends upon the business context in which the parties are communicating. Like “acr”, “amr” is only useful when the values are understood by both parties. Nonetheless, it’s better to have a standard claim for these methods than to have everyone make up a different one. This kind of information is used in practice, in some contexts.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> -- Mike</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><strong><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></strong><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a> [mailto:<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a>] <strong><span style='font-family:"Tahoma","sans-serif"'>On Behalf Of </span></strong>Nat Sakimura<br><strong><span style='font-family:"Tahoma","sans-serif"'>Sent:</span></strong> Friday, May 31, 2013 4:53 PM<br><strong><span style='font-family:"Tahoma","sans-serif"'>To:</span></strong> Torsten Lodderstedt<br><strong><span style='font-family:"Tahoma","sans-serif"'>Cc:</span></strong> OpenId Connect List<br><strong><span style='font-family:"Tahoma","sans-serif"'>Subject:</span></strong> Re: [Openid-specs-ab] amr vs acr</span><o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>s/<span style='font-size:10.5pt;font-family:"Arial","sans-serif"'> where acr gives more context to the values of acr. / where acr gives more context to the values of amr. /</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>2013/6/1 Nat Sakimura <<a href="mailto:sakimura@gmail.com" target="_blank">sakimura@gmail.com</a>><o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I suppose you mean amr, not acm. <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I actually was not aware of amr till now. It seems it was a fairly quick decision made between March 4 and 6. <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>See <a href="https://bitbucket.org/openid/connect/issue/789/make-acr-claim-values-be-arrays-of-acr" target="_blank">https://bitbucket.org/openid/connect/issue/789/make-acr-claim-values-be-arrays-of-acr</a><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>At the time, I was so busy managing JICS 2013, so it went unnoticed for me. <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I also searched through the list archive, but I cannot find the topic in it. There is no record of the decision on the call notes either. <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Mike, could you point us to the record how the WG decision was reached? <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Apparently, amr is the list of authentication methods, while acr is the indicator of the identity proofing and authentication quality. <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>i.e., amr is just the list of such things like "password", "otp", etc. while acr is "InCommons Silver", "ISO29115 LoA 3", etc. <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Personally, I do not see much value in amr since it does not indicate any quality information. It may even be harmful when used without context in the sense that it may create sense of false security to the relying parties. For example, "otp" by itself does not mean it is secure. An OTP system with badly managed seed will generate a predictable sequence of "one time passwords", which is not secure at all. It would only be meaningful when there is an assurance that the system is properly managed. In this respect, amr may be meaningful as an auxiliary information only when it is used with acr, where acr gives more context to the values of acr. <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I might want to require acr if amr is used, or drop amr, but that is only my personal opinion. <o:p></o:p></p></div></div><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>2013/6/1 Torsten Lodderstedt <<a href="mailto:torsten@lodderstedt.net" target="_blank">torsten@lodderstedt.net</a>><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Hi,<br><br>could someone please describe me the difference between the id token members acr and acm? From my understanding, they are just the same. I'm also interested to learn why the authorization request allows to specify multiple acrs but does not support to specify any authentication method (via acm). Additionally, why is there no way to indicate more than one acr in the id token?<br><br>Thanks in advance,<br>Torsten.<br>_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br><br clear=all><o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:#888888'>-- <br>Nat Sakimura (=nat)</span><o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:#888888'>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</span><o:p></o:p></p></div></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br><br clear=all><o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>-- <br>Nat Sakimura (=nat)<o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en<o:p></o:p></p></div></div></div></div></div></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br><br clear=all><o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>-- <br>Nat Sakimura (=nat)<o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en<o:p></o:p></p></div></div></div></blockquote><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p></div></blockquote></div></blockquote><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p></div></blockquote></div></div></blockquote></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p></div><p class=MsoNormal><br><br clear=all><o:p></o:p></p><div><p class=MsoNormal> <o:p></o:p></p></div><p class=MsoNormal>-- <br>Nat Sakimura (=nat) <o:p></o:p></p><div><p class=MsoNormal>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en<o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal> <o:p></o:p></p></div></div></div></div></div><p class=MsoNormal><br><br clear=all><o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>-- <br>Nat Sakimura (=nat)<o:p></o:p></p><div><p class=MsoNormal>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en<o:p></o:p></p></div></div></div></body></html>