<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
FYI - we have implemented a proprietary claim, which tells the RP
the user is over 18. Our current implementation attests this boolean
claim only if the age of the respective user had been verified in
accordance with the relevant rules.<br>
<br>
For a general solution, I would prefer to handle claim
representation (I don't mind whether this is a simple value or a
value computed using a highly sophisticated query language :-)) and
the information about the verification of the underlying data
separately. We had a dicussion about this topic during our last
joined MODRNA/Mobile Connect workshop. The conclusion was: lets have
new claims for new attributes or attributes with a different
semantics and let's represent the data about the
verification/validation explicitely.<br>
<br>
best regards,<br>
Torsten.<br>
<div class="moz-cite-prefix">Am 13.11.2016 um 15:53 schrieb John
Bradley via Openid-specs-ab:<br>
</div>
<blockquote
cite="mid:CAANoGh+acnLVfiaSLki7Rbim_i4o1D6_j8jMm_QtGUnMQhhTUQ@mail.gmail.com"
type="cite">
<p dir="ltr">I always had the more XML pattern in mind where we
would ad an operator element to the claim object eg "OP": and
define values for "includes" ">=" etc</p>
<p dir="ltr">Rather than expand on value and values. </p>
<p dir="ltr">I could live with it ether way, and would favor
whatever is easiest to parse for developers. </p>
<p dir="ltr">It is worth talking about. Sometimes you want just a
Y/N back. </p>
<p dir="ltr">There are privacy issues to consider. Some argue
that if the RP already has the info and is just validating it
then they don't need to ask for consent. This is the slippery
slope to becoming a data broker. </p>
<p dir="ltr">We would also need to work on privacy guidance around
notifying users that attributes are being confirmed. </p>
<p dir="ltr">We all ready have an example of this with email
address, when it is sent as the user hint and it is sent back in
the id_token as a attribute without explicit release by the user
at some IdP. </p>
<p dir="ltr">I understand the logic but don't know that it is a
good president for age or address etc. </p>
<p dir="ltr">John B. <br>
</p>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Nov 13, 2016 10:40, "Justin Richer
via Openid-specs-ab" <<a moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">This is an
interesting problem, and it aligns with some of the language
in the new version of NIST 800-63 (version 3 volume C) about
“attribute values” vs. “attribute claims/references” (note:
we’re still arguing over those names). Basically, where
possible, the RPs want a way to ask for confirmation of a
value (such as age check) without getting at the underlying
data to make that calculation (like a birthdate). A general
purpose mechanism for this kind of query and response would
be generally useful, I believe.<br>
<br>
I rather like George’s proposed {essential: true, “>”:
18} approach, where “>” replaces “value”, which is the
“==“ operator.<br>
<br>
— Justin<br>
<br>
> On Nov 5, 2016, at 4:32 AM, George Fletcher via
Openid-specs-ab <<a moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.<wbr>net</a>>
wrote:<br>
><br>
> Hi,<br>
><br>
> As a relying party, I'd love to be able to ask the
OpenID Provider whether the user authenticating is over a
particular age. This could be used in may use cases.
However, when I look at the spec, there is only a provided
claim name of 'birthdate'. I don't really want the user's
birth date, just an assertion that the user is over a
particular age.<br>
><br>
> I don't see a way to do this via the OIDC claim
mechanism. Any thoughts on how a RP may make such a request?<br>
><br>
> Thanks,<br>
> George<br>
> ______________________________<wbr>_________________<br>
> Openid-specs-ab mailing list<br>
> <a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.<wbr>net</a><br>
> <a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
rel="noreferrer" target="_blank">http://lists.openid.net/<wbr>mailman/listinfo/openid-specs-<wbr>ab</a><br>
<br>
______________________________<wbr>_________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.<wbr>net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
rel="noreferrer" target="_blank">http://lists.openid.net/<wbr>mailman/listinfo/openid-specs-<wbr>ab</a><br>
</blockquote>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</body>
</html>