<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"><base href="x-msg://3245/"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">It is likely true that people are asking for amr from Google as the other parameters such as identity proofing account recovery, liability are all fixed in the Google case.<div><br></div><div>For other IdP there are other variables that enter into the strength of the assertion they are making to the RP, that is where acr becomes more important.</div><div><br></div><div>I still personally think that acr can cover everything if someone defines values for strengths of authentication as a trust framework that people can reference. </div><div>Telling RP specific methods winds up causing problems for the IdP down the road. </div><div><br></div><div>John B.</div><div><br><div><div>On 2013-08-12, at 8:23 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div lang="EN-US" link="blue" vlink="purple" style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div class="WordSection1" style="page: WordSection1; "><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">The difference between “acr” and “amr” is that “acr”, by design a single authentication class identifier, where as “amr” provides a list of method identifiers.<o:p></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">“acr” is really a statement about business relationships – i.e., “I, the OP, assert that the authentication performed meets the contractual requirements of level Silver in trust framework Foo”.<o:p></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">“amr” is about saying what you did – i.e., “I the OP collected a password and verified an Oath OTP value generated by a hardware device”.<o:p></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">They’re different – intentionally.<o:p></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Tim, it sounds to me like your RPs are actually asking for “amr” – not “acr”.<o:p></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> -- Mike<o:p></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; ">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; "><span class="Apple-converted-space"> </span><a href="mailto:openid-specs-ab-bounces@lists.openid.net">openid-specs-ab-bounces@lists.openid.net</a> [mailto:openid-<a href="mailto:specs-ab-bounces@lists.openid.net">specs-ab-bounces@lists.openid.net</a>]<span class="Apple-converted-space"> </span><b>On Behalf Of<span class="Apple-converted-space"> </span></b>Pamela Dingle<br><b>Sent:</b><span class="Apple-converted-space"> </span>Monday, August 12, 2013 5:10 PM<br><b>To:</b><span class="Apple-converted-space"> </span>John Bradley<br><b>Cc:</b><span class="Apple-converted-space"> </span><<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>><br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [Openid-specs-ab] acr values<o:p></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">+1. NIST 800-63 tried to give people a rolled up value too. I'm not sure that's something to strive for. There are lots of relying parties who will care only about authentication methods and not policies. And other relying parties who will care about policies but want to be agile about how those policies are executed. <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">I'm really excited that you're looking at pursuing this Tim, empowering a large number of Relying Parties to ask for more from their IDPs than a basic validation of an envelope is an exciting feature to offer, in my opinion!<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Cheers,<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Pam<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">On Mon, Aug 12, 2013 at 4:58 PM, John Bradley <<a href="mailto:ve7jtb@ve7jtb.com" target="_blank" style="color: purple; text-decoration: underline; ">ve7jtb@ve7jtb.com</a>> wrote:<o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">A single state value is useful but not so much if it turns into a text object describing the subjects entire life. That is where many people went wrong in SAML<o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">We currently have three things in connect:<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">acr which is a abstract identifier for the policy that the session conforms to.<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">amr a list of authentication methods used.<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">auth_time that can be used to determine the length of the session.<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">You can use the acr_values parameter to send an ordered list of the policies that the IdP should conform to, and the max_age parameter to force re-autentication if the limit is exceeded.<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">I think it was Google who was resisting having those parameters.<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Having the RP ask for specific authentication methods rather than a more general policy is far to brittle outside of a small enterprise situation, that is why at the moment there is no amr_values parameter. <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">I think at the time all of this was being worked on Google had no interest to active opposition to parameters like max_age. It might be worth reviewing them on a upcoming call to make sure we are all on the same page. I guess from Mike's emai OX invented some other extensions to do similar things.<o:p></o:p></div></div><div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">John B.<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">On 2013-08-12, at 5:45 PM, Tim Bray <<a href="mailto:tbray@textuality.com" target="_blank" style="color: purple; text-decoration: underline; ">tbray@textuality.com</a>> wrote:<o:p></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><br><br><o:p></o:p></div><div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">On Mon, Aug 12, 2013 at 2:42 PM, Anthony Nadalin <<a href="mailto:tonynad@microsoft.com" target="_blank" style="color: purple; text-decoration: underline; ">tonynad@microsoft.com</a>> wrote:<o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">I can see folks not wanting to look in multiple places and try to piece these together but want a single state value</span><o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Exactly right. <span class="Apple-converted-space"> </span><br><br>I agree with John that it’s going to be tough to come up with something that will actually be helpful to RPs, but I’m getting weary of telling them “No, you shouldn’t want that”, so I think we’re probably going to have to offer something, and I’m actively thinking about how best to communicate that in the OIDC framework. -T<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><br> <o:p></o:p></div></div><blockquote style="border-style: none none none solid; border-left-width: 1pt; border-left-color: rgb(204, 204, 204); padding: 0in 0in 0in 6pt; margin-left: 4.8pt; margin-right: 0in; "><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><a name="14074c0899fe6c6d_140747b73768f0df__MailE"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span></a><o:p></o:p></div><div><div style="border-style: solid none none; border-top-width: 1pt; border-top-color: rgb(225, 225, 225); padding: 3pt 0in 0in; "><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><b><span style="font-size: 11pt; font-family: Calibri, sans-serif; ">From:</span></b><span style="font-size: 11pt; font-family: Calibri, sans-serif; "><span class="Apple-converted-space"> </span>John Bradley [mailto:<a href="mailto:ve7jtb@ve7jtb.com" target="_blank" style="color: purple; text-decoration: underline; ">ve7jtb@ve7jtb.com</a>]<span class="Apple-converted-space"> </span><br><b>Sent:</b><span class="Apple-converted-space"> </span>Monday, August 12, 2013 1:59 PM<br><b>To:</b><span class="Apple-converted-space"> </span>Tim Bray<br><b>Cc:</b><span class="Apple-converted-space"> </span>Anthony Nadalin; <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline; ">openid-specs-ab@lists.openid.net</a>></span><o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [Openid-specs-ab] acr values<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">There is already a auth_time claim. Why would you want to try and overload it in acr.<o:p></o:p></div><div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; background-color: white; "><span style="font-family: Verdana, sans-serif; ">auth_time</span><o:p></o:p></div><div style="margin: 0in 0in 0.0001pt 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif; background-color: white; "><span style="font-family: Verdana, sans-serif; ">OPTIONAL or REQUIRED. Time when the End-User authentication occurred. The time is represented as the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. When a </span><tt style="font-family: 'Courier New'; "><span style="font-size: 10pt; color: rgb(0, 51, 102); ">max_age</span></tt><span style="font-family: Verdana, sans-serif; "> request is made or when </span><tt style="font-family: 'Courier New'; "><span style="font-size: 10pt; color: rgb(0, 51, 102); ">auth_time</span></tt><span style="font-family: Verdana, sans-serif; "> is requested as an Essential Claim, then this Claim is REQUIRED. (The </span><tt style="font-family: 'Courier New'; "><span style="font-size: 10pt; color: rgb(0, 51, 102); ">auth_time</span></tt><span style="font-family: Verdana, sans-serif; "> Claim semantically corresponds to the OpenID 2.0 <a href="http://openid.net/specs/openid-connect-messages-1_0.html#OpenID.PAPE" target="_blank" style="color: purple; text-decoration: underline; "><b><span style="color: rgb(102, 51, 51); text-decoration: none; ">PAPE</span></b></a> [OpenID.PAPE] </span><tt style="font-family: 'Courier New'; "><span style="font-size: 10pt; color: rgb(0, 51, 102); ">auth_time</span></tt><span style="font-family: Verdana, sans-serif; "> response parameter.) The </span><tt style="font-family: 'Courier New'; "><span style="font-size: 10pt; color: rgb(0, 51, 102); ">auth_time</span></tt><span style="font-family: Verdana, sans-serif; "> value is a number.</span><o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">If you want to enumerate the factors used for primary authentication you would use:<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; background-color: white; "><span style="font-family: Verdana, sans-serif; ">amr</span><o:p></o:p></div><div style="margin: 0in 0in 0.0001pt 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif; background-color: white; "><span style="font-family: Verdana, sans-serif; ">OPTIONAL. Authentication Methods References. JSON array of strings that are identifiers for authentication methods used in the authentication. For instance, values might indicate that both password and OTP authentication methods were used. The definition of particular values to be used in the </span><tt style="font-family: 'Courier New'; "><span style="font-size: 10pt; color: rgb(0, 51, 102); ">amr</span></tt><span style="font-family: Verdana, sans-serif; ">Claim is beyond the scope of this specification. Parties using this claim will need to agree upon the meanings of the values used, which may be context-specific. The </span><tt style="font-family: 'Courier New'; "><span style="font-size: 10pt; color: rgb(0, 51, 102); ">amr</span></tt><span style="font-family: Verdana, sans-serif; "> value is an array of case sensitive strings.</span><o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Now I personally think that it is rare for a RP to actually be able to process the primary authentication info and make any sense out of it. That was the experience in SAML everyone wanted it but it doesn't scale in the real world.<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">acr is a string, a collision resistent URI or string (There is a IANA registry). It is intended to roll up a bunch of factors such as identity proofing account recovery security and authentication method into a single abstract value that a RP can make a decision on without requiring specific knowledge of the internal practices of the IdP.<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">I have seen people using the more detailed information break as soon as one of the IdP introduces a new method and every RP needs to update there code to deal with each change.<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Token venders always want the RP to require a specific brand of token etc. You can do it but it is not a good idea.<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">John B.<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div><div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">On 2013-08-12, at 4:45 PM, Tim Bray <<a href="mailto:tbray@textuality.com" target="_blank" style="color: purple; text-decoration: underline; ">tbray@textuality.com</a>> wrote:<o:p></o:p></div></div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></p><blockquote style="margin-top: 5pt; margin-bottom: 5pt; "><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">An RP.<o:p></o:p></div></div><div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></p><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">On Mon, Aug 12, 2013 at 1:30 PM, Anthony Nadalin <<a href="mailto:tonynad@microsoft.com" target="_blank" style="color: purple; text-decoration: underline; ">tonynad@microsoft.com</a>> wrote:<o:p></o:p></div><blockquote style="border-style: none none none solid; border-left-width: 1pt; border-left-color: rgb(204, 204, 204); padding: 0in 0in 0in 6pt; margin: 5pt 0in 5pt 4.8pt; "><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Who do you want to say something about the “session strength” to?</span><o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><a name="14074c0899fe6c6d_140747b73768f0df_140743"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span></a><o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><b><span style="font-size: 11pt; font-family: Calibri, sans-serif; ">From:</span></b><span style="font-size: 11pt; font-family: Calibri, sans-serif; "><span class="Apple-converted-space"> </span><a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline; ">openid-specs-ab-bounces@lists.openid.net</a><span class="Apple-converted-space"> </span>[mailto:<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline; ">openid-specs-ab-bounces@lists.openid.net</a>]<b>On Behalf Of<span class="Apple-converted-space"> </span></b>Tim Bray<br><b>Sent:</b><span class="Apple-converted-space"> </span>Monday, August 12, 2013 1:05 PM<br><b>To:</b><span class="Apple-converted-space"> </span><<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline; ">openid-specs-ab@lists.openid.net</a>><br><b>Subject:</b><span class="Apple-converted-space"> </span>[Openid-specs-ab] acr values</span><o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div><div><div><div><div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">In our IDP role, we’re coming under a lot of pressure to say something about “session strength” and maybe in some circumstances force re-auth and so on. There are a lot of different vocabularies in play that you could use to talk about this stuff, including NIST and ISO publications; and the work of the Fido alliance is maybe interesting. So I expect a lot of churn in this space, and OIDC needs to allow sufficient elbow room.<o:p></o:p></p></div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">So, the purpose of this note is to confirm my understandings, based on looking at the OIDC Messages draft. Do people agree with these?<o:p></o:p></p></div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">- It’s perfectly OK to provide any old URI we dream up as a value for the “acr” claim.<o:p></o:p></p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">- There may be awkwardness around multiple values; suppose I wanted to assert, for example, that the session is less than ten minutes old AND two-factor authent was used. All I can think of is composing a URI along the lines of urn:google-auth-claims?max-age=10&two-factor=true; which is a little kludgy but I guess OK. Awkward, though, in the case where there’s a Fido vocabulary for 2-factor-flavor and someone else’s vocabulary for session-freshness.<o:p></o:p></div></div></div></blockquote></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline; ">Openid-specs-ab@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" style="color: purple; text-decoration: underline; ">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></div></blockquote></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div></div></blockquote></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div></div></div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><br>_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" style="color: purple; text-decoration: underline; ">Openid-specs-ab@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" style="color: purple; text-decoration: underline; ">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><br><br clear="all"><o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">--<span class="Apple-converted-space"> </span><br><strong><span style="font-size: 9pt; font-family: Tahoma, sans-serif; color: rgb(52, 54, 52); ">Pamela Dingle</span></strong><span style="font-size: 9pt; font-family: Tahoma, sans-serif; color: rgb(52, 54, 52); "> | Sr. Technical Architect</span><span style="font-size: 7.5pt; font-family: Tahoma, sans-serif; color: rgb(42, 42, 42); "><br></span><strong><span style="font-size: 8.5pt; font-family: Tahoma, sans-serif; color: rgb(52, 54, 52); ">Ping</span></strong><strong><span style="font-size: 8.5pt; font-family: Tahoma, sans-serif; color: rgb(231, 25, 57); ">Identity</span></strong><span style="font-size: 8.5pt; font-family: Arial, sans-serif; color: rgb(42, 42, 42); "> | <span class="Apple-converted-space"> </span><a href="http://www.pingidentity.com" target="_blank" style="color: purple; text-decoration: underline; ">www.pingidentity.com</a><br>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br></span><strong><span style="font-size: 8.5pt; font-family: Arial, sans-serif; color: rgb(0, 85, 104); ">O:</span></strong><span style="font-size: 8.5pt; font-family: Arial, sans-serif; color: rgb(42, 42, 42); "> </span><span style="font-size: 8.5pt; font-family: Arial, sans-serif; color: rgb(52, 54, 52); ">303-999-5890</span><span style="font-size: 8.5pt; font-family: Arial, sans-serif; color: rgb(42, 42, 42); "> </span><strong><span style="font-size: 8.5pt; font-family: Arial, sans-serif; color: rgb(0, 85, 104); ">M:</span></strong><span style="font-size: 8.5pt; font-family: Arial, sans-serif; color: rgb(42, 42, 42); "> </span><span style="font-size: 8.5pt; font-family: Arial, sans-serif; color: rgb(52, 54, 52); ">303-999-5890</span><span style="font-size: 8.5pt; font-family: Arial, sans-serif; color: rgb(42, 42, 42); "><br></span><strong><span style="font-size: 8.5pt; font-family: Arial, sans-serif; color: rgb(0, 85, 104); ">Email:</span></strong><span style="font-size: 8.5pt; font-family: Arial, sans-serif; color: rgb(42, 42, 42); "> <a href="mailto:pdingle@pingidentity.com" target="_blank" style="color: purple; text-decoration: underline; ">pdingle@pingidentity.com</a><br>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<o:p></o:p></span></div><table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0"><tbody><tr><td nowrap="" valign="top" style="padding: 0in; "><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><strong><span style="font-size: 8.5pt; font-family: Arial, sans-serif; color: rgb(0, 85, 104); ">Connect with Ping</span></strong><span style="font-size: 8.5pt; font-family: Arial, sans-serif; "><br><span style="">Twitter: @pingidentity</span><br><span style="">LinkedIn Group: Ping's Identity Cloud</span> <br><span style=""><a href="http://Facebook.com/pingidentitypage">Facebook.com/pingidentitypage</a></span></span><o:p></o:p></div></td><td nowrap="" valign="top" style="padding: 0in; "><div style="margin-left: 15pt; "><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><strong><span style="font-size: 8.5pt; font-family: Arial, sans-serif; color: rgb(0, 85, 104); ">Connect with me</span></strong><span style="font-size: 8.5pt; font-family: Arial, sans-serif; "><br><span style="">Twitter: @pamelarosiedee</span></span><o:p></o:p></div></div></td></tr></tbody></table><p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "></p></div></div></div></blockquote></div><br></div></body></html>