<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Helvetica, Arial, sans-serif">I think there is a
difference between "verified age" (as in birth certificate) and "registered
age" (as in the age specified by the user when they signed up with
the IdP). For many things, "registered age" is sufficient. I
understand for some things a "verified age" is required.<br>
<br>
I agree that in the "verified age" category, there are a number of
issues that would have to be addressed. For my use cases
"registered age" is sufficient.<br>
<br>
Nat, are the Japanese MNOs actually verifying the "user" of the
phone? or the purchaser of the phone? Is the age verified via
something like a drivers license or birth certificate? or just
what the user said their age is?<br>
<br>
Thanks,<br>
George<br>
</font><br>
<div class="moz-cite-prefix">On 11/8/16 11:21 AM, Nat Sakimura
wrote:<br>
</div>
<blockquote
cite="mid:CABzCy2DYPgK=dJSVY-FPa1Q_0Z0pf9FcZOp3DtbK=nbbg6xO4g@mail.gmail.com"
type="cite">
<div dir="ltr">Japanese MNOs are providing it as part of child
protection.
<div><br>
</div>
<div>Nat</div>
<div><br>
<div class="gmail_quote">
<div dir="ltr">On Wed, Nov 9, 2016 at 12:59 AM John Bradley
via Openid-specs-ab <<a moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word" class="gmail_msg">I
don’t know of anyone providing a validated age at this
point.
<div class="gmail_msg">Most people are asking for age.</div>
<div class="gmail_msg"><br class="gmail_msg">
</div>
<div class="gmail_msg">Even for MNO validated age is
complicated because you have people who are using the
phone on a family plan that are not the account
holder. </div>
<div class="gmail_msg">It needs a bunch of backend
account management work to create and validate
attributes for someone other than the primary account
holder,</div>
<div class="gmail_msg">and even that can be dodgy as
lots of people have phones on there parents credit
cards/ identity. </div>
<div class="gmail_msg"><br class="gmail_msg">
</div>
<div class="gmail_msg">That may wind up being something
that someone like a civil registry or Drivers licence
would provide as a distributed or aggregated claim.</div>
<div class="gmail_msg"><br class="gmail_msg">
</div>
<div class="gmail_msg">John B.</div>
</div>
<div style="word-wrap:break-word" class="gmail_msg">
<div class="gmail_msg"><br class="gmail_msg">
<div class="gmail_msg">
<blockquote type="cite" class="gmail_msg">
<div class="gmail_msg">On Nov 8, 2016, at 12:53
PM, George Fletcher <<a
moz-do-not-send="true"
href="mailto:gffletch@aol.com"
class="gmail_msg" target="_blank">gffletch@aol.com</a>>
wrote:</div>
<br
class="m_-5484296798571224005Apple-interchange-newline
gmail_msg">
<div class="gmail_msg">
<div bgcolor="#FFFFFF" text="#000000"
class="gmail_msg"> <font class="gmail_msg"
face="Helvetica, Arial, sans-serif">A new
claim would be fine. I am trying to be a
"good" RP and only ask for what is needed :)
I do agree that with the operator mechanism,
it's easy to find the age so maybe what Marc
suggested would be the easiest. A new claim
for age with an expected response of a
integer. And maybe the claim is just not
returned if the OP doesn't have a value to
provide. This would also allow the user to
not send their age via the consent flow.<br
class="gmail_msg">
<br class="gmail_msg">
How are other RP's dealing with this issue?
Using the existing 'birthdate' claim?<br
class="gmail_msg">
<br class="gmail_msg">
Thanks,<br class="gmail_msg">
George<br class="gmail_msg">
</font><br class="gmail_msg">
<div
class="m_-5484296798571224005moz-cite-prefix
gmail_msg">On 11/8/16 10:43 AM, John Bradley
wrote:<br class="gmail_msg">
</div>
<blockquote type="cite" class="gmail_msg">
<pre class="gmail_msg">It would likely need to be a new claim to avoid stepping on existing semantics.
Claim request can be an object. The only elements that we have reserved are “essential” , “value” and “values” nothing stopes us from defining an operator for one or more claims.
The default operator is equals eg
"sub": {"value": "248289761001”}
We could have a new verified_age { “essential”: true , “value”: 18 , “op”: “ge” }
Return true or false.
With operators lt, le, eq , ge, gt or something like that.
That would let the RP specify what they need as an adult in there jurisdiction.
On the other hand if people are handing out verified birthdates anyway this may be a more work that it is worth.
Are people people more likely to consent to giving out are you over 18 vs birthdate.
The downside of letting people ask for a year is that they can ask multiple times to find the year, so perhaps you would make them register the value for there area to prevent that.
John B.
</pre>
<blockquote type="cite" class="gmail_msg">
<pre class="gmail_msg">On Nov 8, 2016, at 10:55 AM, George Fletcher via Openid-specs-ab <a moz-do-not-send="true" class="m_-5484296798571224005moz-txt-link-rfc2396E gmail_msg" href="mailto:openid-specs-ab@lists.openid.net" target="_blank"><openid-specs-ab@lists.openid.net></a> wrote:
I've heard that the GSMA Mobile Connect effort has this use case as part of the "extended data attributes" use cases and I am curious how it's going to get solved. I completely agree with your assessment of what the spec allows hence my question to the group:)
Specific claims would be very tedious.
I suppose the spec could be updated to allow operators instead of just the "essential" keyword.
"age" : {">": 12"}
Though that implies a well thought out filter mechanism and loses the ability to specify the claim as "essential".
So short term I can easily make this a RP/OP specific feature, but it seems like something more people are going to need.
Thanks,
George
On 11/8/16 8:25 AM, <a moz-do-not-send="true" class="m_-5484296798571224005moz-txt-link-abbreviated gmail_msg" href="mailto:Axel.Nennker@telekom.de" target="_blank">Axel.Nennker@telekom.de</a> wrote:
</pre>
<blockquote type="cite" class="gmail_msg">
<pre class="gmail_msg">I think that computations on claim values are not possible with the current spec.
You can only ask for proprietary claims and RP and OP would need to agree on this OOB.
Changing the example from
<a moz-do-not-send="true" class="m_-5484296798571224005moz-txt-link-freetext gmail_msg" href="http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter" target="_blank">http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter</a>
{
"userinfo":
{
"given_name": {"essential": true},
"nickname": null,
"email": {"essential": true},
"email_verified": {"essential": true},
"picture": null,
<a moz-do-not-send="true" class="m_-5484296798571224005moz-txt-link-rfc2396E gmail_msg" href="https://schemas.xmlsoap.org/ws/2005/05/identity/claims/over18" target="_blank">"https://schemas.xmlsoap.org/ws/2005/05/identity/claims/over18"</a>
: {"essential": true} /* :-) */
},
"id_token":
{
"auth_time": {"essential": true},
"acr": {"values": ["urn:mace:incommon:iap:silver"] }
}
}
We had discussions in the OASIS IMI (RIP) where Microsoft proposed using uprove for exactly that kind of request.
<a moz-do-not-send="true" class="m_-5484296798571224005moz-txt-link-freetext gmail_msg" href="https://wiki.oasis-open.org/imi/" target="_blank">https://wiki.oasis-open.org/imi/</a>
There was a proposed variant of WS-* making uprove possible that added one more roundtrip compared to ws-* that was needed in InfoCards.
In general you don't know what the RP is going to ask (age>18) or (age<14) so solving this with fixed attributes is tedious and market specific.
Are you going to provide text for this query language to add to
<a moz-do-not-send="true" class="m_-5484296798571224005moz-txt-link-freetext gmail_msg" href="http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter" target="_blank">http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter</a>
?
Cheers
Axel
<a moz-do-not-send="true" class="m_-5484296798571224005moz-txt-link-freetext gmail_msg" href="http://www.theregister.co.uk/2006/03/28/infocard_identity/" target="_blank">http://www.theregister.co.uk/2006/03/28/infocard_identity/</a>
<a moz-do-not-send="true" class="m_-5484296798571224005moz-txt-link-freetext gmail_msg" href="http://self-issued.info/?m=200806" target="_blank">http://self-issued.info/?m=200806</a>
-----Original Message-----
From: Openid-specs-ab [
<a moz-do-not-send="true" class="m_-5484296798571224005moz-txt-link-freetext gmail_msg" href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">mailto:openid-specs-ab-bounces@lists.openid.net</a>
] On Behalf Of George Fletcher via Openid-specs-ab
Sent: Friday, November 04, 2016 8:32 PM
To:
<a moz-do-not-send="true" class="m_-5484296798571224005moz-txt-link-abbreviated gmail_msg" href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>
Subject: [Openid-specs-ab] How to use OIDC claims as an identity oracle
Hi,
As a relying party, I'd love to be able to ask the OpenID Provider whether the user authenticating is over a particular age. This could be used in may use cases. However, when I look at the spec, there is only a provided claim name of 'birthdate'. I don't really want the user's birth date, just an assertion that the user is over a particular age.
I don't see a way to do this via the OIDC claim mechanism. Any thoughts on how a RP may make such a request?
Thanks,
George
_______________________________________________
Openid-specs-ab mailing list
<a moz-do-not-send="true" class="m_-5484296798571224005moz-txt-link-abbreviated gmail_msg" href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a>
<a moz-do-not-send="true" class="m_-5484296798571224005moz-txt-link-freetext gmail_msg" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<pre class="gmail_msg">_______________________________________________
Openid-specs-ab mailing list
<a moz-do-not-send="true" class="m_-5484296798571224005moz-txt-link-abbreviated gmail_msg" href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a>
<a moz-do-not-send="true" class="m_-5484296798571224005moz-txt-link-freetext gmail_msg" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
</blockquote>
<br class="gmail_msg">
</div>
</div>
</blockquote>
</div>
<br class="gmail_msg">
</div>
</div>
_______________________________________________<br
class="gmail_msg">
Openid-specs-ab mailing list<br class="gmail_msg">
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net"
class="gmail_msg" target="_blank">Openid-specs-ab@lists.openid.net</a><br
class="gmail_msg">
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
rel="noreferrer" class="gmail_msg" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br
class="gmail_msg">
</blockquote>
</div>
</div>
</div>
<div dir="ltr">-- <br>
</div>
<div data-smartmail="gmail_signature">
<p dir="ltr">Nat Sakimura</p>
<p dir="ltr">Chairman of the Board, OpenID Foundation</p>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Distinguished Engineer
Identity Services Engineering Work: <a class="moz-txt-link-abbreviated" href="mailto:george.fletcher@teamaol.com">george.fletcher@teamaol.com</a>
AOL Inc. AIM: gffletch
Mobile: +1-703-462-3494 Twitter: <a class="moz-txt-link-freetext" href="http://twitter.com/gffletch">http://twitter.com/gffletch</a>
Office: +1-703-265-2544 Photos: <a class="moz-txt-link-freetext" href="http://georgefletcher.photography">http://georgefletcher.photography</a>
</pre>
</body>
</html>