<p dir="ltr">I always had the more XML pattern in mind where we would ad an operator element to the claim object eg "OP": and define values for "includes" ">=" etc</p>
<p dir="ltr">Rather than expand on value and values. </p>
<p dir="ltr">I could live with it ether way, and would favor whatever is easiest to parse for developers. </p>
<p dir="ltr">It is worth talking about. Sometimes you want just a Y/N back. </p>
<p dir="ltr">There are privacy issues to consider. Some argue that if the RP already has the info and is just validating it then they don't need to ask for consent. This is the slippery slope to becoming a data broker. </p>
<p dir="ltr">We would also need to work on privacy guidance around notifying users that attributes are being confirmed. </p>
<p dir="ltr">We all ready have an example of this with email address, when it is sent as the user hint and it is sent back in the id_token as a attribute without explicit release by the user at some IdP. </p>
<p dir="ltr">I understand the logic but don't know that it is a good president for age or address etc. </p>
<p dir="ltr">John B. <br>
</p>
<div class="gmail_extra"><br><div class="gmail_quote">On Nov 13, 2016 10:40, "Justin Richer via Openid-specs-ab" <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">This is an interesting problem, and it aligns with some of the language in the new version of NIST 800-63 (version 3 volume C) about “attribute values” vs. “attribute claims/references” (note: we’re still arguing over those names). Basically, where possible, the RPs want a way to ask for confirmation of a value (such as age check) without getting at the underlying data to make that calculation (like a birthdate). A general purpose mechanism for this kind of query and response would be generally useful, I believe.<br>
<br>
I rather like George’s proposed {essential: true, “>”: 18} approach, where “>” replaces “value”, which is the “==“ operator.<br>
<br>
— Justin<br>
<br>
> On Nov 5, 2016, at 4:32 AM, George Fletcher via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.<wbr>net</a>> wrote:<br>
><br>
> Hi,<br>
><br>
> As a relying party, I'd love to be able to ask the OpenID Provider whether the user authenticating is over a particular age. This could be used in may use cases. However, when I look at the spec, there is only a provided claim name of 'birthdate'. I don't really want the user's birth date, just an assertion that the user is over a particular age.<br>
><br>
> I don't see a way to do this via the OIDC claim mechanism. Any thoughts on how a RP may make such a request?<br>
><br>
> Thanks,<br>
> George<br>
> ______________________________<wbr>_________________<br>
> Openid-specs-ab mailing list<br>
> <a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.<wbr>net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/<wbr>mailman/listinfo/openid-specs-<wbr>ab</a><br>
<br>
______________________________<wbr>_________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.<wbr>net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/<wbr>mailman/listinfo/openid-specs-<wbr>ab</a><br>
</blockquote></div></div>